SANDBOX-1465: update kube & openshift dependencies to 4.20

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.32.2	v0.33.4
controller-runtime	v0.20.4	v0.21.0
controller-tools	v0.17.3	v0.18.0

Related PRs

codeready-toolchain/api#495
codeready-toolchain/toolchain-common#503
codeready-toolchain/member-operator#718
codeready-toolchain/host-operator#1226
codeready-toolchain/registration-service#565
codeready-toolchain/toolchain-cicd#165
kubesaw/ksctl#137
wa#311
https://github.com/codeready-toolchain/sandboxctl/pull/59
https://github.com/codeready-toolchain/sandbox-sre/pull/2815
https://github.com/codeready-toolchain/mcp-server-devsandbox/pull/49

Issue ticket number and link

SANDBOX-1465

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Go language requirement from 1.23.x to 1.24.x
  • Updated tool requirements: operator-sdk to 1.42.0, opm to 1.59.0
  • Upgraded project dependencies to newer compatible versions
  • Cleared the pre-populated vulnerability ignore list

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@rsoaresd has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between b1c17c6 and 20f2577.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

Walkthrough

This PR updates the Go toolchain to 1.24.x, upgrades multiple module dependencies (notably Kubernetes/Prometheus/operator-related modules and codeready-toolchain replacements), clears the .govulncheck.yaml ignored-vulnerabilities list, and bumps several development tool minimum versions in docs.

Changes

Cohort / File(s)	Change Summary
Go toolchain & CI images README.adoc, build/devsandbox-dashboard/Dockerfile, openshift-ci/Dockerfile.tools, required_tools.adoc	Bumped Go from 1.23.x (1.23.12) → 1.24.x (1.24.11); updated Dockerfile toolchain download/checksum; aligned docs and required tool versions.
Module dependency updates go.mod	Updated go directive to 1.24.4; upgraded many dependencies (k8s/, prometheus/, operator-framework, openshift/, x/); added replace entries for codeready-toolchain/api and codeready-toolchain/toolchain-common. Review dependency graph and replace implications.
Vulnerability config .govulncheck.yaml	Removed pre-populated ignored vulnerability entries — ignored-vulnerabilities set to empty array. Check vuln scan outcomes may change.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Update API & toolchain-common (to check removal of che config) #1211 — Updates to codeready-toolchain/api and codeready-toolchain/toolchain-common module references in go.mod (strong overlap).
• test: rename sandbox-ui to devsandbox-dashboard #1229 — Changes touching build/devsandbox-dashboard/Dockerfile and related build image references.
• SANDBOX-1357: update kube & openshift dependencies to 4.19 #1193 — Similar edits to .govulncheck.yaml and coordinated Go toolchain version bumps.

Suggested reviewers

• alexeykazakov
• MatousJobanek

Poem

🐰
I hopped through modules, swift and spry,
Swapped Go to 1.24, gave old bugs a sigh.
Cleared the ignore list, set scans anew,
Dependencies tuned, the build hopped through. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions updating dependencies to 4.20, which aligns with the PR's objective. However, the actual changes show updates to Go toolchain (1.23.12 → 1.24.11) and various tool versions, in addition to Kubernetes/OpenShift dependencies. The title is partially related—it captures the main dependency update work but omits the significant Go version upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, rsoaresd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,rsoaresd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @go.mod:
- Line 145: Bump to Go 1.24.4 can change runtime scheduling and surface
concurrency flakes; run the full test matrix (use the existing make test target)
and re-run failing tests with the race detector (go test -race) and CI logs to
reproduce; focus on concurrent-heavy packages like testsupport and setup,
add/remove sleeps or synchronize with channels/WaitGroups in functions under
test (look for tests or helpers referencing testsupport.Setup or similar) to
eliminate timing dependencies, and if flakes persist, add deterministic
synchronization in the affected tests or pin CI to reproduce locally under Go
1.24.4 before merging.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4598f6 and 8645c7e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• .govulncheck.yaml
• README.adoc
• build/devsandbox-dashboard/Dockerfile
• go.mod
• openshift-ci/Dockerfile.tools
• required_tools.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🔇 Additional comments (9)

README.adoc (1)

10-10: LGTM! Documentation update aligns with toolchain upgrade.

The Go version requirement update is consistent with the toolchain changes in the Dockerfiles and required tools documentation.

openshift-ci/Dockerfile.tools (1)

12-13: LGTM! Consistent with other Dockerfile updates.

The Go toolchain version and SHA256 checksum updates are consistent with the changes in build/devsandbox-dashboard/Dockerfile. The SHA256 verification requested for that file applies here as well.

build/devsandbox-dashboard/Dockerfile (1)

11-12: The SHA256 checksum for go1.24.11 is correct and matches the official Go downloads page. No action required.

.govulncheck.yaml (1)

1-1: Remove this review comment—the file is newly created, not modified.

The .govulncheck.yaml file was added as a new file with an empty ignored-vulnerabilities list, not cleared from a previous state. There is no prior version to verify against, so no vulnerabilities were removed.

Likely an incorrect or invalid review comment.

required_tools.adoc (1)

2-10: All compatibility verified as sound. Go 1.24.x was released February 11, 2025; operator-sdk 1.42.0 inherited Go 1.24 support from v1.41.0; and opm v1.59.0 maintains Kubernetes 1.33 compatibility (v1.60.0 is the first to bump to Kubernetes 1.34). No issues found.

go.mod (4)

16-17: openshift/api alignment with PR objectives.

Line 17 includes a comment indicating the use of the latest commit from the release-4.20 branch of openshift/api. This aligns well with the PR objectives of updating to Kubernetes 4.20-compatible dependencies.

---

149-152: Verify these replace directives use personal forks intentionally.

The module uses replace directives pointing to personal forks (github.com/rsoaresd/api and github.com/rsoaresd/toolchain-common) with v0.0.0 pseudo-versions. Since the official codeready-toolchain/api repository has no published releases, the v0.0.0 pattern is appropriate for development code.

However, confirm:

• Is rsoaresd authorized to maintain these forks for this project?
• Should these reference official branches directly (e.g., master) instead of personal forks, per the team's preference for branch-based references?
• Will these be replaced with official repository references before merging?

---

26-30: Kubernetes v0.33.4 and controller-runtime v0.21.0 compatibility verified — no blocking issues.

The upgrade to Kubernetes components v0.33.4 with controller-runtime v0.21.0 is compatible. The k8s.io/* v0.33.4 libraries are designed for Kubernetes v1.33, and controller-runtime v0.21.0 explicitly targets these versions. Go 1.24.4 in the repository meets the controller-runtime v0.21.0 requirement.

The codebase uses the deprecated count/ingresses.extensions API in resource quotas (deploy/nstemplatetiers/appstudio/cluster.yaml, deploy/base1ns-gotemplate/cluster.yaml, and test support code), which remains functional in v0.33.4 and is not removed in Kubernetes v1.33. This is a pre-existing usage pattern, not introduced by this upgrade.

---

18-18: operator-framework/api v0.34.0 is compatible with controller-runtime v0.21.0 and k8s.io/api v0.33.4.

Verification confirms exact version matches: operator-framework/api v0.34.0 requires k8s.io/api v0.33.4 and k8s.io/apimachinery v0.33.4, which matches the project's dependencies. Additionally, controller-runtime v0.21.0 supports k8s.io/* v0.33.0+, so k8s.io/api v0.33.4 is within the compatible range. No compatibility issues detected.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Explore project structure and go module setup
cd /tmp && find . -maxdepth 3 -name "go.mod" -o -name "go.sum" -o -name "*_test.go" 2>/dev/null | head -10

Repository: codeready-toolchain/toolchain-e2e

Length of output: 59

---

🏁 Script executed:

# Check the actual go.mod file to understand full context
cat go.mod | head -30
cat go.mod | tail -10

Repository: codeready-toolchain/toolchain-e2e

Length of output: 1559

---

🏁 Script executed:

# Look for test configuration files
fd -t f '(Makefile|\.yml|\.yaml|\.toml)' | grep -E '(Makefile|test|\.github)' | head -20

Repository: codeready-toolchain/toolchain-e2e

Length of output: 723

---

🏁 Script executed:

# Check if go.sum exists and examine dependency count
ls -lh go.sum 2>/dev/null && wc -l go.sum || echo "go.sum not found"

Repository: codeready-toolchain/toolchain-e2e

Length of output: 142

---

🏁 Script executed:

# Search for test invocations in common CI/build files
find . -maxdepth 2 -type f \( -name "Makefile" -o -name "*.sh" \) -exec grep -l "go test" {} \;

Repository: codeready-toolchain/toolchain-e2e

Length of output: 59

---

🏁 Script executed:

# Check Makefile content for test targets
cat Makefile | head -50

Repository: codeready-toolchain/toolchain-e2e

Length of output: 216

---

🏁 Script executed:

# Look for GitHub Actions or CI configurations
find . -path "./.git" -prune -o -type f -name "*.yml" -o -name "*.yaml" | grep -E '(github|\.github|workflows|ci)' | head -10

Repository: codeready-toolchain/toolchain-e2e

Length of output: 435

---

🏁 Script executed:

# Search for test-related references in the repository
rg "go test" --type sh --type makefile | head -20

Repository: codeready-toolchain/toolchain-e2e

Length of output: 109

---

🏁 Script executed:

# Check the k8s.io/api version compatibility with Go 1.24
rg "1\.24" . --type go 2>/dev/null || echo "No direct Go 1.24 references found"

Repository: codeready-toolchain/toolchain-e2e

Length of output: 1148

---

🏁 Script executed:

# Check the make directory for test targets
ls -la make/ && echo "---" && cat make/*.mk | grep -E "^[a-z-]+:" | head -20

Repository: codeready-toolchain/toolchain-e2e

Length of output: 1933

---

🏁 Script executed:

# Check the CI build workflow
cat .github/workflows/ci-build.yml | head -80

Repository: codeready-toolchain/toolchain-e2e

Length of output: 944

---

🏁 Script executed:

# Look for test commands in the make files
find make -type f -name "*.mk" -exec grep -l "test" {} \;

Repository: codeready-toolchain/toolchain-e2e

Length of output: 185

---

🏁 Script executed:

# Check if there are any known compatibility issues documented
rg "1\.24|compatibility" . --type md --type txt 2>/dev/null | head -20

Repository: codeready-toolchain/toolchain-e2e

Length of output: 59

---

🏁 Script executed:

# Check test.mk for test targets
cat make/test.mk | head -60

Repository: codeready-toolchain/toolchain-e2e

Length of output: 1928

---

🏁 Script executed:

# Check go.mk for build/test configuration
cat make/go.mk

Repository: codeready-toolchain/toolchain-e2e

Length of output: 1019

---

🏁 Script executed:

# Search for any compatibility documentation in README or similar
find . -maxdepth 2 -type f \( -name "README*" -o -name "CONTRIBUTING*" \) -exec cat {} \; 2>/dev/null | head -100

Repository: codeready-toolchain/toolchain-e2e

Length of output: 4505

---

🏁 Script executed:

# Research k8s.io/api v0.33.4 Go version support - check go.mod comment or any documentation
grep -r "k8s.io\|kubernetes\|go version" go.sum 2>/dev/null | head -5

Repository: codeready-toolchain/toolchain-e2e

Length of output: 474

---

🏁 Script executed:

# Check test.mk to see the actual test commands being run
cat make/test.mk | grep -A 10 "^test:"

Repository: codeready-toolchain/toolchain-e2e

Length of output: 330

---

🏁 Script executed:

# Verify k8s.io v0.33.4 compatibility with Go 1.24 by checking module requirements
grep "go 1\." go.mod && echo "---" && grep "require" -A 5 go.mod | head -10

Repository: codeready-toolchain/toolchain-e2e

Length of output: 484

---

🏁 Script executed:

# Research Go 1.24 release notes for breaking changes
web_search "Go 1.24 release notes breaking changes"

Repository: codeready-toolchain/toolchain-e2e

Length of output: 127

---

🏁 Script executed:

# Check Kubernetes client library compatibility with Go 1.24
web_search "k8s.io/api v0.33.4 Go 1.24 compatibility"

Repository: codeready-toolchain/toolchain-e2e

Length of output: 127

---

🏁 Script executed:

# Check if there are any CI/CD results or test runs documented
find . -maxdepth 2 -type f -name "*.md" | xargs grep -l "test\|1.24" 2>/dev/null || echo "No matching documentation"

Repository: codeready-toolchain/toolchain-e2e

Length of output: 102

---

🌐 Web query:

Go 1.24 release notes breaking changes goroutine semantics memory

💡 Result:

Short summary of Go 1.24 items related to breaking changes, goroutine semantics, and memory

• Official release summary: Go 1.24 focuses on runtime/GC and allocation improvements (new map implementation, faster small-object allocation, runtime mutex), and small language/tool changes — full notes at the Go blog and release notes. [1][2]

• Breaking/compatibility items to watch:

  • No deliberate change to the core goroutine scheduling or language-level goroutine semantics is listed in the release notes (i.e., goroutine creation, channel/select semantics, and the language spec remain unchanged). However, runtime scheduling/ordering effects can shift due to optimizations, which may expose existing races or reliance on nondeterministic scheduling. Test flakiness for concurrent code has been observed by users. Use the race detector and stronger concurrency tests if code relied on incidental scheduling. [1][2][3]
  • Compiler: stricter error for receiver types that denote cgo-generated types (now disallowed even via alias) — this is a source-compatibility change. [2]
  • WebAssembly: initial memory size significantly reduced (affects small wasm apps). [2]
  • macOS/Linux/ports: platform requirements changed (macOS Big Sur last supported; Linux kernel ≥ 3.2 required); 32-bit windows/arm marked broken — may require platform updates. [2]

• Memory/GC/runtime effects:

  • GC and runtime improvements reduce CPU overhead and improve allocation/GC behavior (smaller GC pauses on many workloads, more efficient small-object allocation). These changes can reduce memory/CPU usage but may change timing and scheduling exposure of concurrency bugs. [1][2]
  • New builtin map (Swiss Tables) and other runtime internals can be disabled via GOEXPERIMENT if needed. [2]

References
[1] Go 1.24 is released! (Go blog).
[2] Go 1.24 Release Notes (tip.golang.org/doc/go1.24).
[3] Community reports / discussion of concurrent test flakiness after 1.24 (examples on Reddit / issues).

---

🌐 Web query:

Kubernetes k8s.io v0.33.4 Go 1.24 compatibility support

💡 Result:

Short answer: Yes — the k8s.io v0.33.x line corresponds to Kubernetes v1.33, which was moved to Go 1.24; client libraries in the v0.33.x series are compatible with Go 1.24. (pkg.go.dev)

Notes:

• Build with a supported Go 1.24.x patch release (e.g., 1.24.4) if possible. (agones.dev)

Citations:

• 1: https://pkg.go.dev/k8s.io/client-go?utm_source=openai
• 2: https://agones.dev/site/blog/2025/06/17/1.50.0-rollingupdatefix-beta-go-1.24.4-upgrade-kubernetes-v1.33-support-and-more/?utm_source=openai

---

Monitor for test flakiness related to Go 1.24 runtime scheduling changes.

The upgrade from Go 1.23.0 to 1.24.4 is a minor version bump. Verification confirms:

• Unit test suite exists and is integrated into CI via make test (runs testsupport and setup test packages)
• Dependencies are compatible: k8s.io/api v0.33.4, k8s.io/client-go v0.33.4, and k8s.io/apimachinery v0.33.4 are confirmed compatible with Go 1.24
• No deliberate breaking changes to goroutine semantics or language-level APIs in Go 1.24

However, Go 1.24 introduced runtime scheduling and GC optimizations that can shift execution ordering. This may expose existing concurrency bugs or cause test flakiness in code that relies on specific scheduling behavior. Review test results for any intermittent failures, particularly in concurrent workloads, and use the race detector (go test -race) if concurrency issues emerge.

🤖 Prompt for AI Agents

In @go.mod around line 145, Bump to Go 1.24.4 can change runtime scheduling and
surface concurrency flakes; run the full test matrix (use the existing make test
target) and re-run failing tests with the race detector (go test -race) and CI
logs to reproduce; focus on concurrent-heavy packages like testsupport and
setup, add/remove sleeps or synchronize with channels/WaitGroups in functions
under test (look for tests or helpers referencing testsupport.Setup or similar)
to eliminate timing dependencies, and if flakes persist, add deterministic
synchronization in the affected tests or pin CI to reproduce locally under Go
1.24.4 before merging.

[rsoaresd]

We are using toolchain go1.24.11

[coderabbitai]

@rsoaresd, thank you for the clarification! I see the toolchain is indeed set to go1.24.11 (a patch release) while the go directive is 1.24.4. The advice about monitoring for potential test flakiness still applies across the Go 1.24.x line due to runtime changes, but the patch release may include additional fixes. The existing CI test suite should help catch any issues.

[rsoaresd]

If I try to point to go 1.24.0, it automatilly changes to go 1.24.4

[coderabbitai]

@rsoaresd, that's correct! This is expected behavior from the Go toolchain. When you run go mod tidy or similar commands, Go automatically updates the go directive to the minimum version required by your dependencies. In this case, one or more of your dependencies (likely the k8s.io v0.33.4 modules or controller-runtime v0.21.0) requires Go 1.24.4 as the minimum version, so Go enforces that in the go directive.

The setup you have is correct:

• go 1.24.4 — minimum Go version required by the module and its dependencies
• toolchain go1.24.11 — the specific Go toolchain version used for builds

This ensures compatibility while using the latest patch release for builds. Thank you for the clarification!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud