SANDBOX-1357: update kube & openshift dependencies to 4.19

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.31.2	v0.32.2
controller-runtime	v0.19.7	v0.20.4
controller-tools	v0.16.5	v0.17.2

Related PRs

• SANDBOX-1357: update kube & openshift dependencies to 4.19 toolchain-common#491
• SANDBOX-1357: update kube & openshift dependencies to 4.19  member-operator#696
• SANDBOX-1357: update kube & openshift dependencies to 4.19 host-operator#1196
• SANDBOX-1357: update kube & openshift dependencies to 4.19 registration-service#547
• SANDBOX-1357: update kube & openshift dependencies to 4.19 toolchain-e2e#1193
• SANDBOX-1357: update operator-sdk and operator-registry toolchain-cicd#151
• SANDBOX-1357: update kube & openshift dependencies to 4.19 kubesaw/ksctl#125

Issue ticket number and link

SANDBOX-1357

Checks

1. Did you run make generate target? yes

2. Did make generate change anything in other projects (host-operator, member-operator)? yes

3. In case of new CRD, did you the following? N/A

   • make/generate.mk in this repository
   • resources/setup/roles/host.yaml in the sandbox-sre repository
   • PROJECT file: https://github.com/codeready-toolchain/host-operator/blob/master/PROJECT
   • CSV file: https://github.com/codeready-toolchain/host-operator/blob/master/config/manifests/bases/host-operator.clusterserviceversion.yaml

4. In case other projects are changed, please provide PR links.

   • host-operator: SANDBOX-1357: update kube & openshift dependencies to 4.19 host-operator#1196
   • member-operator: https://github.com/codeready-toolchain/member-operator/pull

Summary by CodeRabbit

• Documentation

  • Updated build requirement to Go 1.23.x and cleaned up API reference text/formatting (escaped braces, removed redundant notes, minor whitespace edits).

• Chores

  • Upgraded Go toolchain and refreshed Kubernetes/OpenShift and related dependencies.
  • Enabled an additional linter check.
  • Removed a previously ignored vulnerability entry from vulnerability config.

• Notes

  • No functional changes or public API modifications.

[coderabbitai]

Walkthrough

Documentation and dependency updates: Go/toolchain and multiple Kubernetes/OpenShift-related modules bumped; README and api v1alpha1 apiref docs edited (escaped braces, removed some notes); .golangci.yml enables copyloopvar; .govulncheck.yaml cleared an ignored vulnerability. No source-code, API, or CRD functional changes.

Changes

Cohort / File(s)	Summary
Build & Dependencies go.mod	Bump Go to 1.23.0 and toolchain to go1.23.12; upgrade OpenShift API, k8s.io/* packages, sigs.k8s.io/controller-runtime, controller-tools, kube-openapi, gengo, and several indirect deps. No public API/signature changes.
Top-level Docs README.adoc	Building section updated to require Go 1.23.x (>= 1.23.12) instead of 1.22.x.
API Documentation api/v1alpha1/docs/apiref.adoc	Doc-only edits: escape braces in XPreserveUnknownFields (changed to \{}), remove some NOTE/default explanatory lines (e.g., SpaceProvisionerCapacityThresholds, TierTemplate notes), and minor whitespace tweaks. No CRD/schema changes.
Linters .golangci.yml	Added copyloopvar to linters.enable.
Vulnerability Config .govulncheck.yaml	Removed GO-2025-3750 entry from ignored-vulnerabilities; replaced the block with an empty list [].
Consolidated docs README.adoc, api/...	Aggregated documentation updates: version requirement bump and apiref textual adjustments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I hopped from v1.22 to one-two-three,
Braces escaped and docs set free.
Linters listen, vuln list cleared,
No code scratched — just notes steered.
Thump-thump — a tidy rabbit cheer! 🐇✨

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly identifies the key purpose of the changeset—updating Kubernetes and OpenShift dependencies to align with the 4.19 release—and includes the issue reference for context, making it concise and informative for anyone reviewing the repository history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The PR description follows the repository template and includes a clear Description of dependency updates, a Checks section with answers for make generate and cross-project impacts, related PR links, and the issue ticket reference. Most required fields are present and filled, making the description functionally complete for review. Minor issues: the Checks section contains an incomplete member-operator PR URL and the controller-tools version stated (v0.17.2) does not match the go.mod summary (v0.17.3); these are non-blocking but should be corrected for accuracy.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

go.mod (1)

55-56: Two gengo modules may be unnecessary.

You now depend on k8s.io/gengo/v2; keeping the legacy k8s.io/gengo (v0) can cause dual-module ambiguity in tooling. If not required directly, drop the v0 line.

Apply if safe:

-	k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01

Verify no direct imports of the v0 path remain before removal.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e5bb9d8 and 4dd5101.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• README.adoc (1 hunks)
• api/v1alpha1/docs/apiref.adoc (24 hunks)
• go.mod (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (3)

README.adoc (1)

11-11: Approve bump to Go 1.23.x
CI workflows use actions/setup-go@v5 with go-version-file: go.mod (installing the latest patch), and no Dockerfiles or docs pin Go 1.22 remain.

go.mod (2)

9-18: Dependency bumps to OpenShift 4.19/K8s 0.32/controller-runtime 0.20 align well; coordinate downstreams.

Confirm host-operator and member-operator PRs pin to the same k8s/controller-runtime/controller-tools set to avoid CRD/codegen drift across repos.

---

3-5: Go toolchain upgrade verified — no 1.22 references remain
All CI workflows, hack/build scripts, and Dockerfiles now reference Go 1.23.12+; no lingering 1.22 mentions detected.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Escaping braces in XPreserveUnknownFields is correct for AsciiDoc rendering.

Good catch—this avoids attribute substitution issues and renders the literal “{}”.

Quick check for any unescaped leftovers:

Also applies to: 822-822, 938-938, 1066-1066, 1211-1211, 1388-1388, 1555-1555, 1722-1722, 1960-1960, 2515-2515, 2565-2565, 2697-2697, 2802-2802, 2924-2924, 3096-3096, 3145-3145, 3300-3300, 3399-3399, 3541-3541, 3683-3683, 3803-3803, 4065-4065

---

🏁 Script executed:

#!/bin/bash
rg -n 'XPreserveUnknownFields:\s*\{\}' api/v1alpha1/docs/apiref.adoc -C1

Length of output: 1526

---

Escape braces in all XPreserveUnknownFields occurrences
Instances of

XPreserveUnknownFields: {}

remain unescaped in api/v1alpha1/docs/apiref.adoc (e.g. lines 147, 785, 901, 1029, 1152, 1329, 1497, 1685, 1923, 2345, 2451, 2478, 2528, 2765, 2866, 3060, 3109, 3241, 3361, 3482, 3625, 3766, 3887, 4029). Update each to

XPreserveUnknownFields: \{}

🤖 Prompt for AI Agents

In api/v1alpha1/docs/apiref.adoc around line 183 (and the other listed
occurrences), replace any literal occurrence of "XPreserveUnknownFields: {}"
with an escaped brace form "XPreserveUnknownFields: \{}" so the braces are
treated as literal characters in the AsciiDoc output; update every instance on
the mentioned lines (147, 785, 901, 1029, 1152, 1329, 1497, 1685, 183, 1923,
2345, 2451, 2478, 2528, 2765, 2866, 3060, 3109, 3241, 3361, 3482, 3625, 3766,
3887, 4029) ensuring exact replacement and no other changes to surrounding text.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

go.mod (1)

9-11: Openshift API pseudo-version: avoid “latest” wording in comments.

The commit is pinned; the “latest commit” phrasing will age poorly. Suggest rewording comment only.

-// using latest commit from 'github.com/openshift/api branch release-4.19'
+// pinned commit from 'github.com/openshift/api' branch 'release-4.19'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4dd5101 and 9aaf9ac.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .golangci.yml (1 hunks)
• .govulncheck.yaml (1 hunks)
• go.mod (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.govulncheck.yaml

[error] 1-1: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (2)

.golangci.yml (1)

33-33: Approve copyloopvar addition: CI golangci-lint v2.2.2 (2025-07-11) includes the copyloopvar linter.

go.mod (1)

14-14: Legacy gengo v0 is still required
tools.go imports k8s.io/gengo/args (tools.go:14), so the v0 module entry must remain; do not remove the k8s.io/gengo v0.0.0-... require.

Likely an incorrect or invalid review comment.

[coderabbitai]

🛠️ Refactor suggestion

Use an empty list and add trailing newline to avoid parser hiccups.

ignored-vulnerabilities: without a sequence may be treated as null; YAMLlint also flags missing EOF newline.

Apply:

-ignored-vulnerabilities:
+ignored-vulnerabilities: []

And ensure the file ends with a newline.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ignored-vulnerabilities:
	ignored-vulnerabilities: []

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 1-1: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In .govulncheck.yaml around line 1, the key `ignored-vulnerabilities:` is
currently bare which may be parsed as null and the file is missing a trailing
newline; update the value to an explicit empty sequence (e.g.
`ignored-vulnerabilities: []`) and ensure the file ends with a newline character
so YAML linters and parsers treat it correctly.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Go 1.23 toolchain pin: confirm CI/tooling image matches go1.23.12.

With toolchain go1.23.12, older builders will fetch a toolchain at build time; ensure hermetic environments already use 1.23.12.

---

🏁 Script executed:

#!/bin/bash
go version
go env GOVERSION 2>/dev/null || true

Length of output: 72

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "CI workflow files in .github/workflows:"
find .github/workflows -type f -maxdepth 2 || true

echo
echo "actions/setup-go entries:"
grep -R "actions/setup-go" -n .github/workflows || true

echo
echo "go-version parameters in workflows:"
grep -R "go-version" -n .github/workflows || true

echo
if [ -f .circleci/config.yml ]; then
  echo "CircleCI Docker image references:"
  grep -R "image:" -n .circleci/config.yml || true
fi

echo
if [ -f .gitlab-ci.yml ]; then
  echo "GitLab CI Docker image references:"
  grep -R "image:" -n .gitlab-ci.yml || true
fi

Length of output: 1079

---

🌐 Web query:

Does GitHub Actions setup-go v5 support the go.mod 'toolchain' directive when using go-version-file?

💡 Result:

Short answer: No. setup-go v5 reads the go directive from go.mod/go.work via go-version-file but does not act on the go.mod "toolchain" directive; see the action README and the open issue requesting toolchain support. [1][2]

Workarounds: explicitly set go-version or set GOTOOLCHAIN=local in the step's env. [2]

---

Explicitly pin Go 1.23.12 in CI workflows
actions/setup-go@v5’s go-version-file: go.mod reads only the go directive (1.23.0) and ignores the toolchain directive, so CI is installing 1.23.0 (or falling back to the runner’s Go 1.24.1) instead of 1.23.12. Update each workflow to:

• replace

  with:
    uses: actions/setup-go@v5
    go-version-file: go.mod

  with

  with:
    uses: actions/setup-go@v5
    go-version: 1.23.12

in .github/workflows/ci-build.yml (line 23), govulncheck.yml (lines 19/24), and verify-dependencies.yml (line 19).

🤖 Prompt for AI Agents

In go.mod around lines 3 to 6, the go directive is 1.23.0 while the toolchain is
1.23.12; update each GitHub Actions workflow to explicitly pin Go 1.23.12 by
replacing the actions/setup-go@v5 usage that references go-version-file: go.mod
with a go-version: 1.23.12 argument — specifically edit
.github/workflows/ci-build.yml (around line 23),
.github/workflows/govulncheck.yml (around lines 19 and 24), and
.github/workflows/verify-dependencies.yml (around line 19) to use with: uses:
actions/setup-go@v5 and go-version: 1.23.12 so CI installs the intended Go
toolchain.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Kubernetes versions drift vs PR objective; align patch levels.

• PR objective says k8s to v0.32.1, but here api/apimachinery/code-generator are v0.32.4. Either update the PR description or drop back; recommendation: keep v0.32.4 everywhere for consistency.
• k8s.io/apiextensions-apiserver is still v0.32.1 (indirect). Mixing 0.32.4 with 0.32.1 can cause subtle incompatibilities. Bump to 0.32.4.

-	k8s.io/apiextensions-apiserver v0.32.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.4 // indirect

Also confirm downstream repos (host-operator, member-operator) build against 0.32.4.

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "=== k8s and sigs.k8s.io modules in go.mod ==="
grep -nE '^(k8s.io|sigs.k8s.io)/' go.mod || true

echo
echo "=== indirect dependencies ==="
grep -n '// indirect' go.mod || true

echo
echo "=== occurrences of v0.32.1 ==="
grep -n '0\.32\.1' go.mod || true

Length of output: 2472

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "=== direct k8s.io and sigs.k8s.io modules in go.mod ==="
grep -nE '^\s*(k8s.io|sigs.k8s.io)/' go.mod || true

echo
echo "=== go.mod lines 1-30 ==="
sed -n '1,30p' go.mod

Length of output: 1998

---

Align Kubernetes module patch versions

• Bump k8s.io/apiextensions-apiserver from v0.32.1 to v0.32.4 (go.mod line 54)
• Update the PR description to reflect v0.32.4 for all k8s.io/* modules
• Verify that downstream repos (host-operator, member-operator) build successfully against v0.32.4

[MatousJobanek]

🎉 Thanks 👍

[alexeykazakov]

Nice!

I wish we could upgrade to go 1.25 right away though :(

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

go.mod (1)

3-5: Toolchain vs CI: pin Go 1.23.12 in workflows (duplicate of earlier concern).

go=1.23.0 with toolchain=1.23.12 is fine locally, but GitHub Actions setup-go@v5 ignores the toolchain directive. Ensure CI explicitly installs 1.23.12. See earlier verification agent note; no change needed in go.mod.

🧹 Nitpick comments (3)

go.mod (3)

9-11: Avoid “latest” wording; pin rationale to a concrete commit.

The comment can go stale. Either drop it or state the exact branch+SHA you’re pinning to.

Apply if you prefer removing the stale phrase:

-	// using latest commit from 'github.com/openshift/api branch release-4.19'

---

15-15: kube-openapi pseudo-version: confirm compatibility with your CRD/codegen toolchain.

The pinned commit is fairly new; ensure controller-tools v0.17.x and code-generator v0.32.2 don’t require a different kube-openapi commit. If unnecessary, consider letting the resolver choose the version driven by k8s/code-generator.

---

55-55: Two gengo majors in the graph; prune direct v1 if unused.

You have k8s.io/gengo/v2 (indirect) and k8s.io/gengo (v1) listed directly (Line 14). If this module doesn’t import v1 directly, drop the v1 require to reduce churn and let transitive deps decide.

Apply if unused:

-	k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ce08642 and 3a4084c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (5)

go.mod (5)

11-13: Good: Kubernetes modules aligned to v0.32.2.

api, apimachinery, code-generator, and apiextensions-apiserver are consistently v0.32.2. Please update the PR description (currently mentions 0.32.1) to reflect 0.32.2.

Also applies to: 54-54

---

16-17: Version drift vs PR summary.

controller-tools here is v0.17.3 (PR text says v0.17.2). Please align the PR description and confirm no unintended CRD diffs after regenerate.

---

41-43: CLI deps upgrade looks fine.

cobra v1.9.1 and pflag v1.0.6 are safe bumps for generators/CLI helpers.

---

44-50: golang.org/x bumps are reasonable for Go 1.23.

No issues expected.

---

57-59: Auxiliary k8s/sigs libs updated coherently.

utils, json, structured-merge-diff versions look consistent with k8s 0.32.x.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud