[SANDBOX-1703] Upgrade deps to OCP 4.21

[metlos]

$TITLE

Note that this required slight updates to the test logic to account for the still imperfect managed fields handling in the fake client.

Summary by CodeRabbit

• Chores
  • Updated Kubernetes core dependencies and related modules to v0.34.x and newer for improved compatibility.
  • Upgraded schema generation/tooling versions and many indirect dependencies for stability.
  • CRD metadata annotations refreshed to align with the updated tooling; no user-facing schema or behavior changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 392187c3-b3ec-4202-80cd-5198f55e7c57

📥 Commits

Reviewing files that changed from the base of the PR and between fda5061 and 91d579c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

Walkthrough

Updated controller-gen kubebuilder annotation from v0.18.0 → v0.19.0 across CRD manifests (nine files) and upgraded Go module dependencies (multiple direct and indirect bumps, replacement directives added in go.mod).

Changes

Cohort / File(s)	Summary
CRD Version Annotations config/crd/bases/toolchain.dev.openshift.com_*.yaml	Bumped metadata.annotations.controller-gen.kubebuilder.io/version from v0.18.0 to v0.19.0 in nine CRD manifests. No schema, field, or behavioral changes observed.
Go Module Dependencies go.mod	Updated many direct deps (e.g., github.com/go-logr/logr → v1.4.3, sigs.k8s.io/controller-tools → v0.19.0, Kubernetes modules → 0.34.x, github.com/openshift/api → release-4.21, Prometheus client, testify → v1.11.1, etc.). Numerous indirect version bumps, one removed indirect, and replace directives mapping github.com/codeready-toolchain/* to github.com/metlos/*. Lines changed: +44/-40.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: upgrading dependencies to OCP 4.21, which is confirmed by the pr_objectives and the substantial go.mod changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 133-135: The go.mod contains personal-fork replace directives
pointing github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to metlos forks; remove those
replace lines before merging to master. Fix by either (A) reverting/deleting the
two replace directives for "github.com/codeready-toolchain/api" and
"github.com/codeready-toolchain/toolchain-common" once the upstream PRs are
merged, running go mod tidy to update dependencies, or (B) move these local
overrides out of versioned go.mod into a local-only mechanism (e.g., a
git-ignored go.mod.local or a developer-only replace workflow) so master never
contains personal fork replaces. Ensure you run go mod tidy/go mod download
after the change to validate module resolution.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c207f51d-e0b7-45e3-94bb-d19ca8d1a1aa

📥 Commits

Reviewing files that changed from the base of the PR and between 3a2b86a and 8ea1023.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• config/crd/bases/toolchain.dev.openshift.com_idlers.yaml
• config/crd/bases/toolchain.dev.openshift.com_memberoperatorconfigs.yaml
• config/crd/bases/toolchain.dev.openshift.com_memberstatuses.yaml
• config/crd/bases/toolchain.dev.openshift.com_nstemplatesets.yaml
• config/crd/bases/toolchain.dev.openshift.com_spacebindingrequests.yaml
• config/crd/bases/toolchain.dev.openshift.com_spacerequests.yaml
• config/crd/bases/toolchain.dev.openshift.com_toolchainclusters.yaml
• config/crd/bases/toolchain.dev.openshift.com_useraccounts.yaml
• config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml
• controllers/useraccount/useraccount_controller_test.go
• go.mod
• pkg/webhook/deploy/deployment_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking replace directives in go.mod..."
rg -n '^replace\s+github.com/codeready-toolchain/(api|toolchain-common)\s*=>\s*github.com/metlos/' go.mod || true

API_COMMIT=237e681a639a
COMMON_COMMIT=fbd4bba9beb1

echo
echo "Verifying whether pinned commits exist only on fork remotes:"
echo "[api upstream]"
git ls-remote https://github.com/codeready-toolchain/api.git | rg "${API_COMMIT}" || true
echo "[api fork]"
git ls-remote https://github.com/metlos/api.git | rg "${API_COMMIT}" || true

echo
echo "[toolchain-common upstream]"
git ls-remote https://github.com/codeready-toolchain/toolchain-common.git | rg "${COMMON_COMMIT}" || true
echo "[toolchain-common fork]"
git ls-remote https://github.com/metlos/toolchain-common.git | rg "${COMMON_COMMIT}" || true

Repository: codeready-toolchain/member-operator

Length of output: 758

---

Remove personal-fork replace directives before merging to master.

Lines 133–135 reroute core dependencies to personal forks, creating maintainability and supply-chain risk on shared branches. While verification shows these commits exist as pending upstream pull requests (API #501, toolchain-common #522), using replace directives to circumvent the upstream review process is not appropriate for master.

Action: Either merge the upstream pull requests (which will release the commits to canonical modules) and remove these replace directives, or restrict the replace directives to feature branches only via .gitignore or a separate local go.mod.local workflow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 133 - 135, The go.mod contains personal-fork replace
directives pointing github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to metlos forks; remove those
replace lines before merging to master. Fix by either (A) reverting/deleting the
two replace directives for "github.com/codeready-toolchain/api" and
"github.com/codeready-toolchain/toolchain-common" once the upstream PRs are
merged, running go mod tidy to update dependencies, or (B) move these local
overrides out of versioned go.mod into a local-only mechanism (e.g., a
git-ignored go.mod.local or a developer-only replace workflow) so master never
contains personal fork replaces. Ensure you run go mod tidy/go mod download
after the change to validate module resolution.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, metlos

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alexeykazakov,metlos]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

133-135: ⚠️ Potential issue | 🟠 Major

Remove personal-fork replace directives before merging.

The replace directives redirect core dependencies (github.com/codeready-toolchain/api and toolchain-common) to personal fork repositories at specific commit hashes. Merging these to master creates significant supply-chain and maintainability risks:

• Supply-chain risk: Dependencies are sourced from personal repositories rather than the canonical upstream, bypassing the upstream review process.
• Maintainability burden: Future updates require manual tracking of fork commits; the dependency graph becomes opaque to standard Go tooling.
• Critical dependency scope: The context snippets show these modules are used extensively across controllers for condition management (condition.FindConditionByType, condition.AddOrUpdateStatusConditions), client utilities (applycl.NewApplyClient, commonclient.SameGVKandName), controller patterns (commoncontroller), and event filtering (commonpredicates).

Action required: Either (A) merge the corresponding upstream pull requests and remove these replace directives, updating dependencies via go get, or (B) restrict fork-based replace directives to feature branches only (e.g., via .gitignore or local-only go.mod.local workflow).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 133 - 135, Remove the personal-fork replace directives
from go.mod (the two replace lines pointing github.com/codeready-toolchain/* to
github.com/metlos/*) before merging; either merge the corresponding upstream PRs
and update the modules using `go get`/`go mod tidy` so the canonical
github.com/codeready-toolchain modules are used, or keep these replaces only in
a local/feature-only mechanism (e.g., ignored go.mod.local) to avoid committing
them. Look for usages in code paths referencing condition.FindConditionByType,
condition.AddOrUpdateStatusConditions, applycl.NewApplyClient,
commonclient.SameGVKandName, commoncontroller and commonpredicates to ensure
compatibility after switching back to upstream, and run `go test`/`go vet` and
`go mod tidy` to fix any version mismatches.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 6-22: Update the controller-runtime dependency to a v0.22.x
release to match k8s.io v0.34.x: replace the current module entry
"sigs.k8s.io/controller-runtime v0.21.0" in go.mod with a v0.22.x version (e.g.,
v0.22.0 or newer v0.22.patch), run "go get
sigs.k8s.io/controller-runtime@v0.22.x" and "go mod tidy" to refresh
dependencies, and ensure the module's Go version (go directive) is set to 1.24
or higher to satisfy k8s.io v0.34.x requirements.

---

Duplicate comments:
In `@go.mod`:
- Around line 133-135: Remove the personal-fork replace directives from go.mod
(the two replace lines pointing github.com/codeready-toolchain/* to
github.com/metlos/*) before merging; either merge the corresponding upstream PRs
and update the modules using `go get`/`go mod tidy` so the canonical
github.com/codeready-toolchain modules are used, or keep these replaces only in
a local/feature-only mechanism (e.g., ignored go.mod.local) to avoid committing
them. Look for usages in code paths referencing condition.FindConditionByType,
condition.AddOrUpdateStatusConditions, applycl.NewApplyClient,
commonclient.SameGVKandName, commoncontroller and commonpredicates to ensure
compatibility after switching back to upstream, and run `go test`/`go vet` and
`go mod tidy` to fix any version mismatches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b9c4f819-e725-40d5-8a3f-b7f20b4707e4

📥 Commits

Reviewing files that changed from the base of the PR and between 8ea1023 and fda5061.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify k8s 0.34.x and controller-runtime 0.21.0 compatibility

echo "=== Checking for known breaking changes in Kubernetes 0.34.x ==="
echo "Searching CHANGELOG and release notes..."

# Check if there are references to v0.34 upgrade issues in test files
echo -e "\n=== Checking test files for upgrade-related changes ==="
rg -n -C3 --type=go 'fake.*[Cc]lient|managed.*field' --glob='*_test.go' | head -50

# Look for controller-runtime usage patterns that might be affected
echo -e "\n=== Checking controller-runtime client usage ==="
rg -n --type=go 'Client\.Status\(\)\.Update|Client\.Update|Client\.Patch' --glob='controllers/**/*.go' | head -20

Repository: codeready-toolchain/member-operator

Length of output: 1818

---

🌐 Web query:

What are the breaking changes in Kubernetes 1.34 (k8s.io v0.34.x) client-go and apimachinery?

💡 Result:

k8s.io/client-go (v0.34.x) — breaking changes

• Minimum Go version bumped to Go 1.24: k8s.io/client-go@v0.34.0 declares go 1.24.0 (and godebug default=go1.24). If you build with an older Go toolchain, your build will fail. [1]

I couldn’t find any other explicitly documented client-go API removals / signature breaks specific to the v0.34.0 bump in upstream release notes/changelogs (the rest of the notable items I found were fixes or internal dependency refactors, not consumer-facing breaks).

k8s.io/apimachinery (v0.34.x) — breaking changes

• Minimum Go version bumped to Go 1.24: k8s.io/apimachinery@v0.34.0 declares go 1.24.0 (and godebug default=go1.24). This is a build-breaking change for consumers on older Go versions. [2]

Notable (but not breaking yet): apimachinery deprecations in the 1.34 line

• Deprecated MessageCountMap and CreateAggregateFromMessageCountMap in apimachinery. (Deprecation is not an immediate breaking change, but it’s the main “API change” called out in 1.34-related notes I found.) [3]

Sources

[1] k8s.io/client-go v0.34.0 go.mod (Go 1.24 requirement) (raw.githubusercontent.com)
[2] k8s.io/apimachinery v0.34.0 go.mod (Go 1.24 requirement) (raw.githubusercontent.com)
[3] Kubernetes 1.34 changelog note: apimachinery deprecations (raw.githubusercontent.com)

Citations:

• 1: https://raw.githubusercontent.com/kubernetes/client-go/v0.34.0/go.mod
• 2: https://raw.githubusercontent.com/kubernetes/apimachinery/v0.34.0/go.mod
• 3: https://raw.githubusercontent.com/kubernetes/kubernetes/master/CHANGELOG/CHANGELOG-1.34.md

---

🌐 Web query:

Is controller-runtime v0.21.0 compatible with Kubernetes 1.34 (k8s.io v0.34.x)?

💡 Result:

No—controller-runtime v0.21.0 is not the supported/tested match for Kubernetes 1.34 (k8s.io v0.34.x).

• The controller-runtime project states that each minor controller-runtime release is tested against a specific k8s.io/ (client-go) minor*, and other combinations are “by chance” and not supported nor tested. In its compatibility table, controller-runtime v0.21 → k8s.io/ v0.33* (i.e., Kubernetes 1.33), while v0.22 → k8s.io/ v0.34* (i.e., Kubernetes 1.34). [1]
• The controller-runtime release notes for the v0.22 line explicitly include updating k8s.io/ from v0.33.0 to v0.34.0*. [2]

Recommendation: For Kubernetes 1.34 / k8s.io v0.34.x, use controller-runtime v0.22.x (or newer), not v0.21.0. [1][2]

Sources:
[1] controller-runtime README “Compatibility” table and policy (github.com)
[2] controller-runtime GitHub Releases (k8s.io/* v0.33 → v0.34 change) (github.com)

Citations:

• 1: https://github.com/kubernetes-sigs/controller-runtime
• 2: https://github.com/kubernetes-sigs/controller-runtime/releases

---

Upgrade controller-runtime to v0.22.x to match Kubernetes 1.34 (k8s.io v0.34.x).

The current go.mod pairs controller-runtime v0.21.0 with k8s.io v0.34.x, but this is an unsupported combination. According to the controller-runtime compatibility matrix, v0.21 is tested against k8s.io v0.33, while v0.22.x is the supported release for k8s.io v0.34.x. This mismatch is not tested and introduces risk of subtle runtime failures.

Additionally, k8s.io v0.34.x requires Go 1.24—verify that your build targets Go 1.24 or later.

Upgrade to controller-runtime v0.22.x to align with the Kubernetes 1.34 ecosystem.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 6 - 22, Update the controller-runtime dependency to a
v0.22.x release to match k8s.io v0.34.x: replace the current module entry
"sigs.k8s.io/controller-runtime v0.21.0" in go.mod with a v0.22.x version (e.g.,
v0.22.0 or newer v0.22.patch), run "go get
sigs.k8s.io/controller-runtime@v0.22.x" and "go mod tidy" to refresh
dependencies, and ensure the module's Go version (go directive) is set to 1.24
or higher to satisfy k8s.io v0.34.x requirements.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[metlos]

Postponed until operator-sdk is upgradable, too.