SANDBOX-1465: update kube & openshift dependencies to 4.20

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.32.2	v0.33.4
controller-runtime	v0.20.4	v0.21.0
controller-tools	v0.17.3	v0.18.0

Related PRs

codeready-toolchain/api#495
codeready-toolchain/member-operator#718
codeready-toolchain/host-operator#1226
codeready-toolchain/toolchain-e2e#1239
codeready-toolchain/registration-service#565
codeready-toolchain/toolchain-cicd#165
kubesaw/ksctl#137
wa#311
https://github.com/codeready-toolchain/sandboxctl/pull/59
https://github.com/codeready-toolchain/sandbox-sre/pull/2815
https://github.com/codeready-toolchain/mcp-server-devsandbox/pull/49

Issue ticket number and link

SANDBOX-1465

Summary by CodeRabbit

• Build Requirements

  • Updated minimum Go version requirement from 1.23.x to 1.24.x.

• Dependencies

  • Updated OpenShift API and library-go to latest versions.
  • Upgraded Kubernetes API, client, and controller-runtime to v0.33.x series.
  • Updated Prometheus client and related dependencies to latest versions.
  • Updated various supporting libraries for compatibility and improvements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR upgrades the project to Go 1.24, updates Kubernetes and OpenShift dependencies to newer releases (including api v0.33.4 and controller-runtime v0.21.0), updates Prometheus and related indirect dependencies, clears all previously ignored vulnerabilities, and adjusts a test error assertion for updated stack trace line numbers.

Changes

Cohort / File(s)	Summary
Dependency & Version Updates README.adoc, go.mod	Go version requirement bumped from 1.23.x (1.23.12+) to 1.24.x (1.24.11+); go.mod directives updated to go 1.24.0 and toolchain go1.24.11; OpenShift API/library-go upgraded to release-4.20; Kubernetes API, apimachinery, client-go, kubectl upgraded to v0.33.4; controller-runtime upgraded to v0.21.0; Prometheus client_golang v1.19.1 → v1.22.0 and common v0.55.0 → v0.62.0; numerous indirect dependencies (sigs.k8s.io/\, golang.org/x/\, google.golang.org/protobuf) updated to newer revisions.
Vulnerability Configuration .govulncheck.yaml	Removed all entries from ignored-vulnerabilities mapping; configuration changed from populated list to empty array.
Test Assertion Update pkg/client/ssa_client_test.go	Updated hardcoded error message assertion in TestSsaClient from pkg/runtime/scheme.go:100 to pkg/runtime/scheme.go:110 to reflect updated stack trace line numbers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• update .govulncheck.yaml #497: Modifies .govulncheck.yaml ignored-vulnerabilities mapping with direct overlap in configuration changes.
• SANDBOX-1357: update kube & openshift dependencies to 4.19 #491: Makes identical code-level changes across the same files (.govulncheck.yaml, go.mod, README) with synchronized dependency updates.

Suggested reviewers

• alexeykazakov
• xcoulon
• metlos
• MatousJobanek

Poem

🐰 A hop to 1.24, dependencies anew,
Kubernetes and Prometheus in matching hue,
Cleared the vault of vulnerabilities old,
Stack traces updated as tests unfold,
Toolchain modernized, secure and true! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change in the changeset: updating Kubernetes and OpenShift dependencies to version 4.20.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rsoaresd]

temporary

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.46%. Comparing base (9f5a5e1) to head (2ed8965).
⚠️ Report is 1 commits behind head on master.

❌ Your changes status has failed because you have indirect coverage changes. Learn more about Unexpected Coverage Changes and reasons for indirect coverage changes.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #503      +/-   ##
==========================================
- Coverage   78.86%   78.46%   -0.41%     
==========================================
  Files          53       53              
  Lines        2210     2210              
==========================================
- Hits         1743     1734       -9     
- Misses        404      413       +9     
  Partials       63       63              

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/client/ssa_client_test.go (1)

305-305: Test expectation updated for dependency line number shift.

The hardcoded line number reference has been updated from scheme.go:100 to scheme.go:110 to reflect changes in the updated dependencies. While the change is appropriate, consider making the test more resilient to future dependency updates.

♻️ Optional: Make test more robust

Consider using partial string matching or regex to avoid brittle line number dependencies:

-				assert.Equal(t, "unable to patch '*v1.ConfigMap' called 'obj' in namespace 'default': failed to prepare the object for SSA: no kind is registered for the type v1.ConfigMap in scheme \"pkg/runtime/scheme.go:110\"", err.Error())
+				assert.Contains(t, err.Error(), "unable to patch '*v1.ConfigMap' called 'obj' in namespace 'default': failed to prepare the object for SSA: no kind is registered for the type v1.ConfigMap in scheme")
+				assert.Contains(t, err.Error(), "pkg/runtime/scheme.go:")

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f5a5e1 and 2ed8965.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• .govulncheck.yaml
• README.adoc
• go.mod
• pkg/client/ssa_client_test.go

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-24T10:18:07.200Z

Learnt from: MatousJobanek
Repo: codeready-toolchain/toolchain-common PR: 496
File: pkg/owners/fetcher_test.go:29-32
Timestamp: 2025-10-24T10:18:07.200Z
Learning: In the codeready-toolchain repositories, the import pattern `controllerruntime "sigs.k8s.io/controller-runtime"` should be kept for consistency across the codebase, even if specific functions like SetControllerReference are used from sub-packages like controllerutil.

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: Verify Dependencies
• GitHub Check: Test with Coverage

🔇 Additional comments (7)

README.adoc (1)

11-11: LGTM - Documentation updated to reflect Go version upgrade.

The Go version requirement is correctly updated to match the go.mod changes (go 1.24.0, toolchain go1.24.11).

go.mod (5)

12-15: OpenShift dependencies updated to latest release-4.20 commits.

The OpenShift API and library-go dependencies have been updated to newer commits from their respective release-4.20 branches. These updates align with the overall 4.20 upgrade objective.

---

68-68: Indirect dependency updates are aligned with direct dependency upgrades.

The indirect dependencies have been updated to versions compatible with the new Kubernetes v0.33.4 and controller-runtime v0.21.0. These transitive dependency updates are expected and appropriate.

Also applies to: 77-77, 90-91, 102-108, 110-110, 114-115, 117-122

---

35-35: Prometheus library upgrades are compatible with this codebase.

The prometheus/client_golang v1.22.0 and prometheus/common v0.62.0 upgrades do include breaking changes (zstd opt-in requirement, default validation schema change, removed promlog/sigv4 packages). However, the codebase is unaffected: it uses Go 1.24.0 (exceeds the required Go 1.22 minimum), does not import zstd, promlog, or sigv4, and uses prometheus libraries only for basic test metrics. These version jumps are safe.

---

3-5: Verify compatibility with Go 1.24.0 breaking changes before merging.

Go 1.24.0 introduces several compatibility-affecting changes: stricter cgo method receiver type handling, new vet checks (may surface CI failures), Swiss map runtime changes, linker build ID defaults, and platform deprecations (macOS 11 end-of-life). Confirm that the codebase doesn't rely on cgo-generated type methods, verify new vet checks pass, and ensure reproducible build requirements are met. The go1.24.11 patch is stable and recommended.

---

22-25: No action required for Kubernetes and controller-runtime compatibility.

The dependencies can be safely upgraded to k8s.io v0.33.4 and controller-runtime v0.21.0. Verification shows the identified breaking changes in Kubernetes v1.33.0 (deprecated Endpoints API, removal of gitRepo volume driver, kubeProxyVersion removal) are not used in this codebase. Additionally, the Go 1.24.0 version requirement for controller-runtime v0.21.0 is already met, and the codebase does not use the deprecated Result.Requeue pattern or NewUnmanaged/NewTypedUnmanaged APIs affected by the upgrade.

.govulncheck.yaml (1)

1-1: No action required—empty ignored-vulnerabilities list is correct.

The empty ignored-vulnerabilities: [] configuration is the secure baseline. Vulnerability scanning is already automated via the .github/workflows/govulncheck.yml workflow, which runs on every pull request and will catch any new vulnerabilities in the updated dependencies. No manual verification step is needed.