Skip to content

OCPCLOUD-3614: bump k8s and openshift deps#1520

Open
hongkailiu wants to merge 5 commits into
openshift:mainfrom
hongkailiu:OCPCLOUD-3614
Open

OCPCLOUD-3614: bump k8s and openshift deps#1520
hongkailiu wants to merge 5 commits into
openshift:mainfrom
hongkailiu:OCPCLOUD-3614

Conversation

@hongkailiu

@hongkailiu hongkailiu commented Jul 17, 2026

Copy link
Copy Markdown
Member

After the pull:

$ rg 'openshift/(lib|api |client)|sigs.k8s.io/controller-runtime |k8s.io/(.* v0.3\d.|kubernetes|.*=> )' -g '*go.mod' | rg -v 'indirect' | rg -v 'k8s.io/.* v0.36.2'
go.mod: k8s.io/apiserver => github.com/openshift/kubernetes/staging/src/k8s.io/apiserver v0.0.0-20260716191900-78acd4d422b2 // openshift kubernetes has very old copy of k8s.io/kubernetes/pkg/kubelet/server/server.go
go.mod: k8s.io/cri-streaming => github.com/openshift/kubernetes/staging/src/k8s.io/cri-streaming v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/endpointslice => github.com/openshift/kubernetes/staging/src/k8s.io/endpointslice v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/externaljwt => github.com/openshift/kubernetes/staging/src/k8s.io/externaljwt v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kube-aggregator => github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kube-controller-manager => github.com/openshift/kubernetes/staging/src/k8s.io/kube-controller-manager v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kube-proxy => github.com/openshift/kubernetes/staging/src/k8s.io/kube-proxy v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kubelet => github.com/openshift/kubernetes/staging/src/k8s.io/kubelet v0.0.0-20260716191900-78acd4d422b2 // openshift kubernetes has very old copy of k8s.io/kubernetes/cmd/kubelet/app/options/options.go
go.mod: k8s.io/kubernetes => github.com/openshift/kubernetes v1.30.1-0.20260716191900-78acd4d422b2
go.mod: github.com/openshift/api v0.0.0-20260715165912-72066cc9718b
go.mod: github.com/openshift/client-go v0.0.0-20260715172546-dac61734e0ec
go.mod: github.com/openshift/library-go v0.0.0-20260716104731-fdf18b82797f
go.mod: k8s.io/kubernetes v1.36.2
go.mod: sigs.k8s.io/controller-runtime v0.24.1

Summary by CodeRabbit

Summary

  • Chores

    • Updated the Go toolchain to 1.26.
    • Refreshed pinned OpenShift and Kubernetes dependencies (including controller-runtime and core Kubernetes components).
    • Updated related ecosystem libraries to match the newer dependency stack.
  • Bug Fixes

    • Fixed operator event recording for ClusterOperator status transitions so event messages are emitted with the correct formatting for “Status upgrade” and “Status degraded”.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

The PR refreshes Go, OpenShift, Kubernetes, controller-runtime, and indirect dependencies, expands staging replacements, removes obsolete modules, and updates status events to pass messages as explicit format arguments.

Changes

Dependency and status event updates

Layer / File(s) Summary
Go and core module alignment
go.mod
Go, OpenShift, controller-runtime, Kubernetes, and staging replacement versions were updated.
Indirect dependency refresh
go.mod
Indirect runtime, tooling, API, observability, networking, and Kubernetes dependencies were updated or removed.
Status event formatting
pkg/operator/status.go, pkg/operator/operator_test.go
Progressing and degraded events now use "%s" format arguments, and fake client setup removes staticcheck suppressions.

Estimated code review effort: 2 (Simple) | ~15 minutes

Suggested reviewers: damdo, racheljpg


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Weak-Crypto ❌ Error PR adds vendored weak-crypto code: NTLMv2 uses MD4/MD5, go-ldap adds Digest-MD5/MD4, and dbus auth_sha1_windows.go uses SHA1. Remove or replace these dependency paths with stronger auth/hashing, or avoid vendoring them if unused. Do not ship MD4/MD5/SHA1-based code in the tree.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The only diff removes nolint comments in a helper; no Ginkgo titles were added or changed.
Test Structure And Quality ✅ Passed PR only removed obsolete staticcheck suppressions in a test helper; no Ginkgo It/BeforeEach/Eventually structure or cleanup patterns changed.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only changed test file is a unit-test helper using testing.T, with no MicroShift-sensitive APIs or unsupported guards.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new repo e2e Ginkgo tests were added; the patch only changes go.mod/vendor and non-e2e operator code, with no SNO-unsafe assumptions found.
Topology-Aware Scheduling Compatibility ✅ Passed No scheduling-manifest/controller changes: touched files are status Eventf formatting, test lint cleanup, and dep/vendor bumps; no affinity, nodeSelector, replicas, or PDB logic.
Ote Binary Stdout Contract ✅ Passed The PR only updates deps and non-stdout status/test code; it adds no stdout writes in main/init/TestMain/BeforeSuite paths.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The only changed test file, pkg/operator/operator_test.go, just removes nolint comments; no new Ginkgo/e2e tests or networking assumptions were added.
Container-Privileges ✅ Passed PASS: The PR touches no non-vendor manifests, and the full diff adds no privileged/hostNetwork/hostIPC/allowPrivilegeEscalation/runAsUser=0 lines.
No-Sensitive-Data-In-Logs ✅ Passed No added logging with secrets/PII found; modified files only use generic status/event text and a test cleanup.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: upgrading Kubernetes and OpenShift dependencies.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from damdo and racheljpg July 17, 2026 10:22

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 10-12: Update the OpenShift Kubernetes replacement versions in
go.mod to match the pins recorded in vendor/modules.txt, or regenerate the
vendor tree from the current go.mod so both references use
20260716191900-78acd4d422b2. Keep the k8s.io/apiserver, k8s.io/kubelet, and
k8s.io/kubernetes replacement entries consistent.
- Around line 53-54: Update the module’s Go version declaration in go.mod from
1.25.0 to 1.26.0, leaving the existing dependency versions unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d7872606-c9f5-41f8-88c9-6c541e75ef36

📥 Commits

Reviewing files that changed from the base of the PR and between c0b2d2c and dbb173f.

📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
Comment thread go.mod
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
Validation Failed: {"resource":"IssueComment","code":"custom","field":"body","message":"body is too long (maximum is 65536 characters)"} - https://docs.github.com/rest/issues/comments#update-an-issue-comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
go.mod (1)

8-17: 🔒 Security & Privacy | 🔵 Trivial

Complete the dependency supply-chain verification before merge.

The pins are exact, but verify the companion go.sum hashes, OSV findings, license compatibility, SBOM/provenance generation, and Sigstore/cosign signing for the new OpenShift/Kubernetes fork revisions and dependency updates. As per path instructions, all of these checks are required for dependency-manifest changes.

Also applies to: 27-59

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 8 - 17, Complete supply-chain verification for the
dependency updates in go.mod, including matching go.sum hashes, OSV
vulnerability checks, license compatibility review, SBOM and provenance
generation, and Sigstore/cosign signature verification for the OpenShift Ginkgo
and Kubernetes fork revisions. Apply the same checks to all dependency changes
covered by the comment’s range and record or preserve the resulting verification
artifacts as required by repository instructions.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: Update the go.mod Go toolchain configuration from go 1.26.0 to
explicitly require Go 1.26.5 for builds, using a toolchain declaration or
equivalent minimum CI/release builder setting. Ensure builds no longer depend on
the ambient toolchain.

---

Nitpick comments:
In `@go.mod`:
- Around line 8-17: Complete supply-chain verification for the dependency
updates in go.mod, including matching go.sum hashes, OSV vulnerability checks,
license compatibility review, SBOM and provenance generation, and
Sigstore/cosign signature verification for the OpenShift Ginkgo and Kubernetes
fork revisions. Apply the same checks to all dependency changes covered by the
comment’s range and record or preserve the resulting verification artifacts as
required by repository instructions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread go.mod
module github.com/openshift/machine-api-operator

go 1.25.0
go 1.26.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

go version
go env GOTOOLCHAIN
rg -n --hidden -g '!vendor/**' \
  'toolchain go|go-version|setup-go|FROM golang|GO_VERSION' .

Repository: openshift/machine-api-operator

Length of output: 584


Use Go 1.26.5 for builds

go 1.26.0 leaves builds dependent on the ambient toolchain. Pin toolchain go1.26.5, or make the minimum CI/release builder version explicit.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, Update the go.mod Go toolchain configuration from go
1.26.0 to explicitly require Go 1.26.5 for builds, using a toolchain declaration
or equivalent minimum CI/release builder setting. Ensure builds no longer depend
on the ambient toolchain.

Go vet now flags passing a variable as the format argument to Eventf.
Use "%s" as the format string and pass the variable as an argument.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
Validation Failed: {"resource":"IssueComment","code":"custom","field":"body","message":"body is too long (maximum is 65536 characters)"} - https://docs.github.com/rest/issues/comments#update-an-issue-comment

… staging

The openshift/kubernetes fork adds APIs (AddAlwaysLocalDelegateForPrefix,
AddOverlappingGroupVersion, etc.) in the kube-aggregator staging area that
aren't in the upstream released module, causing build failures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
go.mod (1)

27-59: 🔒 Security & Privacy | 🔵 Trivial

Add the missing dependency supply-chain checks. go mod verify is already in place; add the remaining refresh gates for license review, OSV/govulncheck scanning, SBOM/provenance attestations, and cosign signing of release artifacts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 27 - 59, Add the dependency supply-chain refresh gates
alongside the existing go mod verify check: include license review,
OSV/govulncheck vulnerability scanning, SBOM and provenance attestations, and
cosign signing validation for release artifacts. Reuse the repository’s
established dependency or release-check configuration and keep go mod verify
intact.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 333: Update the go.opentelemetry.io/otel/sdk dependency from v1.40.0 to
v1.43.0, preserving its indirect dependency designation and ensuring the module
metadata reflects the upgraded version.

---

Nitpick comments:
In `@go.mod`:
- Around line 27-59: Add the dependency supply-chain refresh gates alongside the
existing go mod verify check: include license review, OSV/govulncheck
vulnerability scanning, SBOM and provenance attestations, and cosign signing
validation for release artifacts. Reuse the repository’s established dependency
or release-check configuration and keep go mod verify intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread go.mod
The staticcheck warnings these suppressed no longer fire after the
k8s.io dependency bump.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign racheljpg for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hongkailiu hongkailiu changed the title [wip]bump k8s and openshift deps OCPCLOUD-3614: bump k8s and openshift deps Jul 17, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 17, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@hongkailiu: This pull request references OCPCLOUD-3614 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

After the pull:

$ rg 'openshift/(lib|api |client)|sigs.k8s.io/controller-runtime |k8s.io/(.* v0.3\d.|kubernetes|.*=> )' -g '*go.mod' | rg -v 'indirect' | rg -v 'k8s.io/.* v0.36.2'
go.mod: k8s.io/apiserver => github.com/openshift/kubernetes/staging/src/k8s.io/apiserver v0.0.0-20260716191900-78acd4d422b2 // openshift kubernetes has very old copy of k8s.io/kubernetes/pkg/kubelet/server/server.go
go.mod: k8s.io/cri-streaming => github.com/openshift/kubernetes/staging/src/k8s.io/cri-streaming v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/endpointslice => github.com/openshift/kubernetes/staging/src/k8s.io/endpointslice v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/externaljwt => github.com/openshift/kubernetes/staging/src/k8s.io/externaljwt v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kube-aggregator => github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kube-controller-manager => github.com/openshift/kubernetes/staging/src/k8s.io/kube-controller-manager v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kube-proxy => github.com/openshift/kubernetes/staging/src/k8s.io/kube-proxy v0.0.0-20260716191900-78acd4d422b2
go.mod: k8s.io/kubelet => github.com/openshift/kubernetes/staging/src/k8s.io/kubelet v0.0.0-20260716191900-78acd4d422b2 // openshift kubernetes has very old copy of k8s.io/kubernetes/cmd/kubelet/app/options/options.go
go.mod: k8s.io/kubernetes => github.com/openshift/kubernetes v1.30.1-0.20260716191900-78acd4d422b2
go.mod: github.com/openshift/api v0.0.0-20260715165912-72066cc9718b
go.mod: github.com/openshift/client-go v0.0.0-20260715172546-dac61734e0ec
go.mod: github.com/openshift/library-go v0.0.0-20260716104731-fdf18b82797f
go.mod: k8s.io/kubernetes v1.36.2
go.mod: sigs.k8s.io/controller-runtime v0.24.1

Summary by CodeRabbit

Summary

  • Chores

  • Updated the Go toolchain to 1.26.

  • Refreshed pinned OpenShift and Kubernetes dependencies (including controller-runtime and core Kubernetes components).

  • Updated related ecosystem libraries to match the newer dependency stack.

  • Bug Fixes

  • Fixed operator event recording for ClusterOperator status transitions so event messages are emitted with the correct formatting for “Status upgrade” and “Status degraded”.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 17, 2026
@hongkailiu

Copy link
Copy Markdown
Member Author

/retest-required

1 similar comment
@hongkailiu

Copy link
Copy Markdown
Member Author

/retest-required

@openshift-ci

openshift-ci Bot commented Jul 19, 2026

Copy link
Copy Markdown
Contributor

@hongkailiu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-upgrade adc84c3 link true /test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn adc84c3 link true /test e2e-aws-ovn
ci/prow/e2e-metal-ipi-virtualmedia adc84c3 link true /test e2e-metal-ipi-virtualmedia

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants