SANDBOX-1465: update kube & openshift dependencies to 4.20

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.32.2	v0.33.4
controller-runtime	v0.20.4	v0.21.0
controller-tools	v0.17.3	v0.18.0

Related PRs

codeready-toolchain/toolchain-common#503
codeready-toolchain/member-operator#718
codeready-toolchain/host-operator#1226
codeready-toolchain/toolchain-e2e#1239
codeready-toolchain/registration-service#565
codeready-toolchain/toolchain-cicd#165
kubesaw/ksctl#137
wa#311
https://github.com/codeready-toolchain/sandboxctl/pull/59
https://github.com/codeready-toolchain/sandbox-sre/pull/2815
https://github.com/codeready-toolchain/mcp-server-devsandbox/pull/49

Issue ticket number and link

SANDBOX-1465

Checks

1. Did you run make generate target? yes

2. Did make generate change anything in other projects (host-operator, member-operator)? yes

3. In case of new CRD, did you the following? N/A

   • make/generate.mk in this repository
   • resources/setup/roles/host.yaml in the sandbox-sre repository
   • PROJECT file: https://github.com/codeready-toolchain/host-operator/blob/master/PROJECT
   • CSV file: https://github.com/codeready-toolchain/host-operator/blob/master/config/manifests/bases/host-operator.clusterserviceversion.yaml

4. In case other projects are changed, please provides PR links.

   • host-operator: SANDBOX-1465: update kube & openshift dependencies to 4.20 host-operator#1226
   • member-operator: SANDBOX-1465: update kube & openshift dependencies to 4.20 member-operator#718

Summary by CodeRabbit

• Documentation

  • Updated build requirements to Go version 1.24.x (previously 1.23.x)

• Chores

  • Upgraded Go toolchain to 1.24
  • Updated Kubernetes, OpenShift, and related dependencies to latest compatible versions
  • Cleared all ignored vulnerability exceptions for stricter security posture

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Go toolchain updated from version 1.23 to 1.24 with corresponding dependency upgrades. Kubernetes/OpenShift modules bumped to release-4.20 track, multiple stdlib and protobuf packages updated, and previously ignored vulnerabilities cleared from configuration.

Changes

Cohort / File(s)	Change Summary
Go toolchain version updates README.adoc, go.mod	Go version requirement bumped from 1.23.x to 1.24.x (1.24.11 or higher); toolchain in go.mod updated from go1.23.12 to go1.24.11
Vulnerability configuration .govulncheck.yaml	Cleared all previously ignored vulnerabilities; replaced populated ignored-vulnerabilities list with empty list
Kubernetes and ecosystem dependencies go.mod	OpenShift API updated to release-4.20 branch; Kubernetes (k8s.io) modules and apimachinery bumped to v0.33.x; google.golang.org/protobuf updated to v1.36.5; golang.org/x/\* packages upgraded (tools v0.32.0, mod v0.24.0, text v0.24.0, net v0.39.0, sync v0.13.0, sys v0.32.0); controller-runtime/tools updated to v0.21.0/v0.18.0; kube-openapi and related modules refreshed

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• go.mod: Multiple heterogeneous dependency updates spanning Kubernetes/OpenShift ecosystem, stdlib packages, and protobuf tooling require verification of cross-module compatibility and potential breaking changes, particularly around Kubernetes API versions and code-generation tooling
• README.adoc and .govulncheck.yaml: Straightforward configuration and documentation updates with minimal complexity

Possibly related PRs

• SANDBOX-1357: update kube & openshift dependencies to 4.19 #484: Updates identical go.mod and README.adoc Go/Kubernetes/OpenShift dependency versions, suggesting coordinated upgrades across related projects.

Suggested reviewers

• xcoulon
• MatousJobanek
• alexeykazakov

Poem

🐰 From one-point-three we leap to four with glee,
Kubernetes dependencies sync in harmony,
Vulnerabilities cleared from our safeguard roll,
Go forth with confidence—this upgrade's whole! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title references SANDBOX-1465 and mentions updating Kubernetes and OpenShift dependencies to 4.20, which aligns with the primary changes shown in go.mod, README.adoc, and .govulncheck.yaml.
Description check	✅ Passed	The pull request description follows the required template with all sections completed: description provided, all four checks answered, related PRs listed, and issue ticket referenced.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 72303aa and 6834c42.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .govulncheck.yaml (1 hunks)
• README.adoc (1 hunks)
• go.mod (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (5)

go.mod (3)

3-5: LGTM!

The Go toolchain upgrade to 1.24.0/1.24.11 is consistent with the README.adoc update and aligns with the PR objectives for dependency modernization.

---

42-48: Versions appear current and secure; verify against project's specific threat model if removing vulnerability checks.

The protobuf package has no known vulnerabilities. CVE-2024-45338 in golang.org/x/net affects all versions before 0.33.0, and the specified version (v0.39.0) is after the fix. golang.org/x/sys v0.32.0 was published November 25, 2025, making it current. The main concern is whether removing ignored vulnerabilities in .govulncheck.yaml reflects actual risk mitigation or changes to the security posture—the current versions themselves are sound.

---

9-17: Verify controller-tools v0.18.0 compatibility with k8s.io v0.33.2 and consider updating to newer controller-runtime.

1. Controller-tools v0.18.0 exists but its compatibility with k8s.io v0.33.2 is unclear from official documentation. The published compatibility matrix shows CT v0.17 paired with k8s.io v0.32; confirm v0.18.0 is the correct match for v0.33.2.

2. Controller-runtime v0.22.4 is available (newer than v0.21.0) and supports k8s.io v0.34. Evaluate whether upgrading to v0.22.x is appropriate for this project, or if v0.21.0 is deliberately locked for compatibility reasons.

3. The k8s.io v0.33.2 and controller-runtime v0.21.0 compatibility is confirmed correct.

README.adoc (1)

11-11: Go 1.24.11 is the current latest stable patch release for Go 1.24.x.

The README accurately recommends Go 1.24.11 (or higher) for development. Go 1.24.11 was released on December 2, 2025 and is the most recent patch version available, ensuring developers have the latest security fixes and bug improvements.

.govulncheck.yaml (1)

1-1: Verify that previously ignored Go standard library vulnerabilities are resolved.

The removal of four ignored vulnerability exceptions (GO-2025-4010, GO-2025-4007, GO-2025-4009, GO-2025-4011) is appropriate as these are Go standard library vulnerabilities that have been patched. GO-2025-4007 addresses quadratic complexity when checking name constraints in crypto/x509, while GO-2025-4011 addresses parsing DER payload causing memory exhaustion in encoding/asn1. These vulnerabilities are fixed by upgrading to a patched Go version (e.g., Go 1.24.8 or 1.25.2), not external dependencies. Confirm the project uses a Go version containing these patches; otherwise govulncheck will fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Coordinate dependent PRs before merging.

The PR description indicates that CRD changes need to be propagated to host-operator and member-operator repositories, but the PR links are incomplete (showing "#" placeholders). Per the README.adoc guidance, these changes should be promoted separately with proper PRs in the dependent repositories.

Ensure the following before merging:

1. Complete the host-operator PR and update the PR description with the actual PR number
2. Complete the member-operator PR and update the PR description with the actual PR number
3. Verify that make generate has successfully propagated CRD changes to both repositories
4. Coordinate the merge order (typically api → host-operator → member-operator)

🤖 Prompt for AI Agents

In go.mod around lines 7 to 18: the PR references dependent host-operator and
member-operator changes with placeholder "#" links and CRD changes must be
propagated; create and complete the corresponding PRs in host-operator and
member-operator, update this PR description to include the real PR
numbers/links, run make generate to propagate CRD changes and verify the
generated CRDs appear in both repositories, and coordinate and document the
correct merge order (api → host-operator → member-operator) before merging.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud