SANDBOX-1465: update kube & openshift dependencies to 4.20#503
Conversation
WalkthroughThis PR upgrades the project to Go 1.24, updates Kubernetes and OpenShift dependencies to newer releases (including api v0.33.4 and controller-runtime v0.21.0), updates Prometheus and related indirect dependencies, clears all previously ignored vulnerabilities, and adjusts a test error assertion for updated stack trace line numbers. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
go.mod
Outdated
| sigs.k8s.io/yaml v1.4.0 // indirect | ||
| ) | ||
|
|
||
| replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20251217161230-6834c424aeb8 |
Codecov Report✅ All modified and coverable lines are covered by tests. ❌ Your changes status has failed because you have indirect coverage changes. Learn more about Unexpected Coverage Changes and reasons for indirect coverage changes. Additional details and impacted files@@ Coverage Diff @@
## master #503 +/- ##
==========================================
- Coverage 78.86% 78.46% -0.41%
==========================================
Files 53 53
Lines 2210 2210
==========================================
- Hits 1743 1734 -9
- Misses 404 413 +9
Partials 63 63 🚀 New features to boost your workflow:
|
rsoaresd
changed the title
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
pkg/client/ssa_client_test.go (1)
305-305: Test expectation updated for dependency line number shift.The hardcoded line number reference has been updated from
scheme.go:100toscheme.go:110to reflect changes in the updated dependencies. While the change is appropriate, consider making the test more resilient to future dependency updates.♻️ Optional: Make test more robust
Consider using partial string matching or regex to avoid brittle line number dependencies:
- assert.Equal(t, "unable to patch '*v1.ConfigMap' called 'obj' in namespace 'default': failed to prepare the object for SSA: no kind is registered for the type v1.ConfigMap in scheme \"pkg/runtime/scheme.go:110\"", err.Error()) + assert.Contains(t, err.Error(), "unable to patch '*v1.ConfigMap' called 'obj' in namespace 'default': failed to prepare the object for SSA: no kind is registered for the type v1.ConfigMap in scheme") + assert.Contains(t, err.Error(), "pkg/runtime/scheme.go:")
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (4)
.govulncheck.yamlREADME.adocgo.modpkg/client/ssa_client_test.go
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-10-24T10:18:07.200Z
Learnt from: MatousJobanek
Repo: codeready-toolchain/toolchain-common PR: 496
File: pkg/owners/fetcher_test.go:29-32
Timestamp: 2025-10-24T10:18:07.200Z
Learning: In the codeready-toolchain repositories, the import pattern `controllerruntime "sigs.k8s.io/controller-runtime"` should be kept for consistency across the codebase, even if specific functions like SetControllerReference are used from sub-packages like controllerutil.
Applied to files:
go.mod
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: GolangCI Lint
- GitHub Check: Verify Dependencies
- GitHub Check: Test with Coverage
🔇 Additional comments (7)
README.adoc (1)
11-11: LGTM - Documentation updated to reflect Go version upgrade.The Go version requirement is correctly updated to match the go.mod changes (go 1.24.0, toolchain go1.24.11).
go.mod (5)
12-15: OpenShift dependencies updated to latest release-4.20 commits.The OpenShift API and library-go dependencies have been updated to newer commits from their respective release-4.20 branches. These updates align with the overall 4.20 upgrade objective.
68-68: Indirect dependency updates are aligned with direct dependency upgrades.The indirect dependencies have been updated to versions compatible with the new Kubernetes v0.33.4 and controller-runtime v0.21.0. These transitive dependency updates are expected and appropriate.
Also applies to: 77-77, 90-91, 102-108, 110-110, 114-115, 117-122
35-35: Prometheus library upgrades are compatible with this codebase.The prometheus/client_golang v1.22.0 and prometheus/common v0.62.0 upgrades do include breaking changes (zstd opt-in requirement, default validation schema change, removed promlog/sigv4 packages). However, the codebase is unaffected: it uses Go 1.24.0 (exceeds the required Go 1.22 minimum), does not import zstd, promlog, or sigv4, and uses prometheus libraries only for basic test metrics. These version jumps are safe.
3-5: Verify compatibility with Go 1.24.0 breaking changes before merging.Go 1.24.0 introduces several compatibility-affecting changes: stricter cgo method receiver type handling, new vet checks (may surface CI failures), Swiss map runtime changes, linker build ID defaults, and platform deprecations (macOS 11 end-of-life). Confirm that the codebase doesn't rely on cgo-generated type methods, verify new vet checks pass, and ensure reproducible build requirements are met. The go1.24.11 patch is stable and recommended.
22-25: No action required for Kubernetes and controller-runtime compatibility.The dependencies can be safely upgraded to k8s.io v0.33.4 and controller-runtime v0.21.0. Verification shows the identified breaking changes in Kubernetes v1.33.0 (deprecated Endpoints API, removal of gitRepo volume driver, kubeProxyVersion removal) are not used in this codebase. Additionally, the Go 1.24.0 version requirement for controller-runtime v0.21.0 is already met, and the codebase does not use the deprecated Result.Requeue pattern or NewUnmanaged/NewTypedUnmanaged APIs affected by the upgrade.
.govulncheck.yaml (1)
1-1: No action required—empty ignored-vulnerabilities list is correct.The empty
ignored-vulnerabilities: []configuration is the secure baseline. Vulnerability scanning is already automated via the.github/workflows/govulncheck.ymlworkflow, which runs on every pull request and will catch any new vulnerabilities in the updated dependencies. No manual verification step is needed.
3 participants
Description
Update dependencies
Related PRs
codeready-toolchain/api#495
codeready-toolchain/member-operator#718
codeready-toolchain/host-operator#1226
codeready-toolchain/toolchain-e2e#1239
codeready-toolchain/registration-service#565
codeready-toolchain/toolchain-cicd#165
kubesaw/ksctl#137
wa#311
https://github.com/codeready-toolchain/sandboxctl/pull/59
https://github.com/codeready-toolchain/sandbox-sre/pull/2815
https://github.com/codeready-toolchain/mcp-server-devsandbox/pull/49
Issue ticket number and link
SANDBOX-1465
Summary by CodeRabbit
Build Requirements
Dependencies
✏️ Tip: You can customize this high-level summary in your review settings.