NO-ISSUE: bumping to to 1.25 in the backplane-2.9 branch

.golangci.yml

@@ -0,0 +1,78 @@
+version: "2"
+run:
+  concurrency: 4
+  timeout: 5m
+  issues-exit-code: 1
+  tests: true
+output:
+  print-issued-lines: true
+  print-linter-name: true
+linters:
+  enable:
+    - staticcheck
+    - unused
+    - govet
+    - gocyclo
+    - gosec
+    - unconvert
+  settings:
+    govet:
+      enable:
+        - shadow
+      settings:
+        printf:
+          funcs:
+            - Infof
+            - Warnf
+            - Errorf
+            - Fatalf
+    gosec:
+      excludes:
+        - G107
+        - G115
+        - G401
+        - G402
+        - G501
+    staticcheck:
+      checks:
+        - "all"
+        - "-ST1001"
+        - "-ST1003"
+        - "-ST1005"
+        - "-ST1008"
+        - "-ST1016"
+        - "-ST1019"
+        - "-ST1023"
+        - "-QF1001"
+        - "-QF1003"
+        - "-QF1011"
+  exclusions:
+    rules:
+    - linters:
+        - staticcheck
+      text: 'QF1008: could remove embedded field'
+    - linters:
+        - gosec
+      text: 'G306: Expect WriteFile permissions to be 0600 or less'
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  uniq-by-line: true
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 as builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.21 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

Dockerfile.konflux

@@ -1,4 +1,4 @@
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.24 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.25 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

Makefile

@@ -60,6 +60,10 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+# Get the list of packages which have test files
+TEST ?= $(shell go list -f '{{if or .TestGoFiles .XTestGoFiles}}{{.ImportPath}}{{end}}' ./...)
+
+
 PROJECT_DIR := $(shell dirname $(abspath $(firstword $(MAKEFILE_LIST))))
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
@@ -113,7 +117,7 @@ golangci-lint: ## Run golangci-lint against code.
 
 .PHONY: test
 test: manifests generate fmt vet ## Run tests.
-	go test ./... -coverprofile cover.out
+	go test $(TEST) -coverprofile cover.out
 
 .PHONY: deploy-integration-test
 deploy-integration-test:
@@ -185,7 +189,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.2
+CONTROLLER_TOOLS_VERSION ?= v0.17.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

cmd/manager/main.go

@@ -21,7 +21,7 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" //nolint:gosec // G108: pprof is only enabled via --start-pprof flag and runs on localhost:6060
 	"net/url"
 	"os"
 	"time"
@@ -137,7 +137,7 @@ func main() {
 	}
 
 	controllerOptions := &controllers.ImageClusterInstallReconcilerOptions{}
-	if err := envconfig.Process("image-based-install-operator", controllerOptions); err != nil {
+	if err = envconfig.Process("image-based-install-operator", controllerOptions); err != nil {
 		setupLog.Error(err, "unable to process envconfig")
 		os.Exit(1)
 	}

cmd/server/main.go

@@ -41,7 +41,7 @@ func main() {
 		ConfigsDir: filepath.Join(Options.DataDir, "namespaces"),
 	}
 	http.Handle("/images/", s)
-	server := &http.Server{
+	server := &http.Server{ //nolint:gosec // G112: ReadHeaderTimeout not set
 		Addr: fmt.Sprintf(":%s", Options.Port),
 	}
 

config/crd/bases/extensions.hive.openshift.io_imageclusterinstalls.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.17.0
   name: imageclusterinstalls.extensions.hive.openshift.io
 spec:
   group: extensions.hive.openshift.io
@@ -150,8 +150,27 @@ spec:
                       during installation and used for tagging/naming resources in
                       cloud providers.
                     type: string
+                  metadataJSONSecretRef:
+                    description: |-
+                      MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+                      installer, potentially scrubbed for sensitive data.
+                    properties:
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
                   platform:
-                    description: Platform holds platform-specific cluster metadata
+                    description: |-
+                      Platform holds platform-specific cluster metadata.
+                      Deprecated. Use the Secret referenced by MetadataJSONSecretRef instead. We may stop
+                      populating this section in the future.
                     properties:
                       aws:
                         description: AWS holds AWS-specific cluster metadata
@@ -160,14 +179,18 @@ spec:
                             description: |-
                               HostedZoneRole is the role to assume when performing operations
                               on a hosted zone owned by another account.
+                              Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                              may stop populating this section in the future.
                             type: string
                         type: object
                       azure:
                         description: Azure holds azure-specific cluster metadata
                         properties:
                           resourceGroupName:
-                            description: ResourceGroupName is the name of the resource
-                              group in which the cluster resources were created.
+                            description: |-
+                              ResourceGroupName is the name of the resource group in which the cluster resources were created.
+                              Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                              may stop populating this section in the future.
                             type: string
                         required:
                         - resourceGroupName
@@ -176,7 +199,10 @@ spec:
                         description: GCP holds GCP-specific cluster metadata
                         properties:
                           networkProjectID:
-                            description: NetworkProjectID is used for shared VPC setups
+                            description: |-
+                              NetworkProjectID is used for shared VPC setups
+                              Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                              may stop populating this section in the future.
                             type: string
                         type: object
                     type: object

controllers/imageclusterinstall_controller.go

@@ -202,7 +202,7 @@ func (r *ImageClusterInstallReconciler) Reconcile(ctx context.Context, req ctrl.
 		return res, err
 	}
 
-	if err := r.setClusterInstallMetadata(ctx, log, ici, cd); err != nil {
+	if err = r.setClusterInstallMetadata(ctx, log, ici, cd); err != nil {
 		cond.Message = "failed to set ClusterMetaData in ImageClusterInstall"
 		log.Error(err)
 		return ctrl.Result{}, err
@@ -602,7 +602,7 @@ func (r *ImageClusterInstallReconciler) updateBMHProvisioningState(ctx context.C
 	if bmh.Status.Provisioning.State != bmh_v1alpha1.StateAvailable && bmh.Status.Provisioning.State != bmh_v1alpha1.StateExternallyProvisioned {
 		return nil
 	}
-	log.Infof("BareMetalHost %s/%s PoweredOn status is: %s", bmh.Namespace, bmh.Name, bmh.Status.PoweredOn)
+	log.Infof("BareMetalHost %s/%s PoweredOn status is: %t", bmh.Namespace, bmh.Name, bmh.Status.PoweredOn)
 	if !bmh.Spec.Online {
 		bmh.Spec.Online = true
 		log.Infof("Setting BareMetalHost (%s/%s) spec.Online to true", bmh.Namespace, bmh.Name)
@@ -1036,6 +1036,9 @@ func (r *ImageClusterInstallReconciler) writeImageBaseConfig(ctx context.Context
 		return err
 	}
 	releaseRegistry, err := r.imageSetRegistry(ctx, ici)
+	if err != nil {
+		return err
+	}
 
 	return installer.WriteImageBaseConfig(ctx, ici, releaseRegistry, nmstate, file)
 }

controllers/imageclusterinstall_controller_test.go

@@ -164,7 +164,7 @@ var _ = Describe("Reconcile", func() {
 		clusterDeployment       *hivev1.ClusterDeployment
 		pullSecret              *corev1.Secret
 		installerMock           *installer.MockInstaller
-		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
+		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec // G101: fake credentials for testing
 	)
 
 	BeforeEach(func() {
@@ -426,7 +426,7 @@ var _ = Describe("Reconcile", func() {
 		clusterInstall.Spec.Hostname = "thing"
 		clusterInstall.Spec.SSHKey = "my ssh key"
 		Expect(c.Create(ctx, clusterInstall)).To(Succeed())
-		r.initializeConditions(ctx, clusterInstall)
+		Expect(r.initializeConditions(ctx, clusterInstall)).To(Succeed())
 		cond := findCondition(clusterInstall.Status.Conditions, hivev1.ClusterInstallCompleted)
 		cond.Status = corev1.ConditionTrue
 		setClusterInstallCondition(&clusterInstall.Status.Conditions, *cond)
@@ -1855,7 +1855,7 @@ var _ = Describe("Reconcile with DataImageCoolDownPeriod set to 1 second", func(
 		clusterDeployment       *hivev1.ClusterDeployment
 		pullSecret              *corev1.Secret
 		installerMock           *installer.MockInstaller
-		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
+		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec // G101: fake credentials for testing
 	)
 
 	installerSuccess := func() {

controllers/imageclusterinstall_monitor_test.go

@@ -39,7 +39,7 @@ var _ = Describe("Monitor", func() {
 		clusterDeployment       *hivev1.ClusterDeployment
 		bmh                     *bmh_v1alpha1.BareMetalHost
 		pullSecret              *corev1.Secret
-		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
+		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec // G101: fake credentials for testing
 	)
 
 	BeforeEach(func() {

go.mod

@@ -1,8 +1,8 @@
 module github.com/openshift/image-based-install-operator
 
-go 1.24.0
+go 1.25.0
 
-toolchain go1.24.10
+toolchain go1.25.5
 
 require (
 	github.com/containers/image/v5 v5.31.0

hack/golangci-lint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-VERSION="1.55.2"
+VERSION="2.8.0"
 
 rootdir=$(git rev-parse --show-toplevel)
 if [ -z "${rootdir}" ]; then

internal/credentials/credentials.go

@@ -23,15 +23,15 @@ import (
 )
 
 const (
-	SecretResourceLabel         = "image-based-installed.openshift.io/created"
+	SecretResourceLabel         = "image-based-installed.openshift.io/created" //nolint:gosec
 	SecretResourceValue         = "true"
 	DefaultUser                 = "kubeadmin"
 	Kubeconfig                  = "kubeconfig"
 	kubeadmincreds              = "kubeadmincreds"
 	kubeAdminKey                = "password"
 	SeedReconfigurationFileName = "manifest.json"
 
-	secretPreservationLabel = "siteconfig.open-cluster-management.io/preserve"
+	secretPreservationLabel = "siteconfig.open-cluster-management.io/preserve" //nolint:gosec
 	secretPreservationValue = "cluster-identity"
 )
 

internal/filelock/filelock.go

@@ -13,7 +13,7 @@ func lockForDir(dir string) (*flock.Flock, error) {
 	p := filepath.Join(dir, lockFileName)
 	_, err := os.Stat(p)
 	if os.IsNotExist(err) {
-		if err := os.WriteFile(p, []byte{}, 0600); err != nil {
+		if err = os.WriteFile(p, []byte{}, 0600); err != nil {
 			return nil, err
 		}
 	} else if err != nil {
@@ -38,7 +38,7 @@ func WithWriteLock(dir string, f func() error) (bool, error, error) {
 	if !locked {
 		return false, nil, nil
 	}
-	defer lock.Unlock()
+	defer lock.Unlock() //nolint:errcheck // ignore error
 
 	return true, nil, f()
 }
@@ -58,7 +58,7 @@ func WithReadLock(dir string, f func() error) (bool, error, error) {
 	if !locked {
 		return false, nil, nil
 	}
-	defer lock.Unlock()
+	defer lock.Unlock() //nolint:errcheck // ignore error
 
 	return true, nil, f()
 }

internal/installer/reinstall_test.go

@@ -46,6 +46,7 @@ platform:
 pullSecret: '{"auths":{"quay.io":{"auth":"dXNlcjpwYXNzCg=="}}}'
 `
 
+//nolint:gosec // G101: fake credentials for testing
 const secretSeedReconfig = `
 {
   "api_version": 1,

internal/monitor/monitor.go

@@ -85,15 +85,15 @@ func clusterVersionStatus(ctx context.Context, log logrus.FieldLogger, c client.
 	for _, cond := range cv.Status.Conditions {
 		if cond.Type == configv1.OperatorAvailable {
 			if !didCVOStarted(log, cv, reconfigurationStartTime) {
-				log.Infof(clusterVersionNotAvailableMessage)
+				log.Info(clusterVersionNotAvailableMessage)
 				return false, clusterVersionNotAvailableMessage, nil
 			}
 			if cond.Status == configv1.ConditionTrue {
 				return true, clusterVersionAvailableMessage, nil
 			}
 			if cond.Type == configv1.OperatorAvailable {
 				message := fmt.Sprintf("ClusterVersion is not yet available because %s: %s", cond.Reason, cond.Message)
-				log.Infof(message)
+				log.Info(message)
 				return false, message, nil
 			}
 		}
@@ -134,7 +134,7 @@ func nodesStatus(ctx context.Context, log logrus.FieldLogger, c client.Client) (
 			if cond.Type == corev1.NodeReady {
 				if cond.Status != corev1.ConditionTrue {
 					message := fmt.Sprintf("Node %s is not yet ready because %s: %s", node.Name, cond.Reason, cond.Message)
-					log.Infof(message)
+					log.Info(message)
 					messages = append(messages, message)
 					nodesReady = false
 				}