[SANDBOX-1700] chore: upgrade to OCP 4.21 dependencies

[metlos]

Update openshift/api to release-4.21, k8s.io deps to v0.34.1, controller-runtime to v0.22.0, and controller-tools to v0.19.0.

https://redhat.atlassian.net/browse/SANDBOX-1700

Checks

1. Did you run make generate target? no
   This would only change controller-gen.kubebuilder.io/version annotation to from 0.18.0 to 0.19.0. No actual changes to the CRDs.

2. Did make generate change anything in other projects (host-operator, member-operator)? no
   See above

Summary by CodeRabbit

• Chores
  • Updated core Kubernetes/OpenShift-related dependencies and supporting libraries to newer releases; refreshed several indirect dependencies and added newer YAML libraries.
  • Replaced and consolidated some Kubernetes/SIGs modules with their updated versions.
  • No public APIs or user-visible behavior changed; maintenance-focused compatibility and security updates.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated go.mod dependency versions: Kubernetes modules to v0.34.1, github.com/openshift/api advanced to a release-4.21 pseudo-version, and several indirect/transitive libraries bumped or added. No source code or exported API changes. (50 words)

Changes

Cohort / File(s)

Summary

Dependency updates go.mod

Updated direct Kubernetes modules (k8s.io/api, k8s.io/apimachinery, k8s.io/kube-openapi) to newer versions/commits and advanced github.com/openshift/api to a release-4.21 commit; bumped/added multiple indirect dependencies (e.g., sigs.k8s.io/structured-merge-diff v6, sigs.k8s.io/yaml, github.com/fxamacker/cbor/v2, github.com/modern-go/reflect2, k8s.io/gengo, k8s.io/utils, go.yaml.in/yaml/v2, .../v3). No code or exported API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: upgrading to OCP 4.21 dependencies, which aligns with the go.mod updates shown in the changeset.
Description check	✅ Passed	The description addresses the core changes and explains the dependency updates, but does not fully follow the template structure, missing some checkbox items and formatting.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

3-5: ⚠️ Potential issue | 🟡 Minor

Document the toolchain version intent if it diverges from CI expectations.

The go 1.24.4 declaration will be used by CI workflows (actions/setup-go reads the go directive), while the toolchain go1.24.13 suggestion only applies locally if toolchain auto-selection is enabled. This creates a potential build environment inconsistency: developers may build and test with Go 1.24.13 while CI validates with Go 1.24.4. If this is intentional for reproducibility/standardization, document it; if unintentional, align the versions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 3 - 5, The go.mod declares "go 1.24.4" while the
toolchain line is "toolchain go1.24.13", causing CI vs local toolchain mismatch;
either make them identical (update "go 1.24.4" to "go 1.24.13" or change
"toolchain go1.24.13" to match 1.24.4) or add a short comment in the repo README
or a new TOOLCHAIN.md explaining the intentional divergence and which version CI
(go directive) and local toolchain (toolchain directive) should use; update the
go.mod and documentation consistently and mention the authoritative source (CI
uses the go directive).

🧹 Nitpick comments (1)

go.mod (1)

9-10: Update the OpenShift branch comment to match the actual upgrade target.

The inline comment says release-4.20 while this PR upgrades to OCP 4.21 and bumps github.com/openshift/api accordingly. Keeping this stale comment will mislead future dependency updates.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 9 - 10, Update the inline comment above the
github.com/openshift/api dependency in go.mod so it reflects the actual target
branch release-4.21 (instead of stale release-4.20) to match the bumped
dependency version; locate the comment near the github.com/openshift/api
v0.0.0-20260304172252-b0658d22beea entry and change the branch name text to
release-4.21.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@go.mod`:
- Around line 3-5: The go.mod declares "go 1.24.4" while the toolchain line is
"toolchain go1.24.13", causing CI vs local toolchain mismatch; either make them
identical (update "go 1.24.4" to "go 1.24.13" or change "toolchain go1.24.13" to
match 1.24.4) or add a short comment in the repo README or a new TOOLCHAIN.md
explaining the intentional divergence and which version CI (go directive) and
local toolchain (toolchain directive) should use; update the go.mod and
documentation consistently and mention the authoritative source (CI uses the go
directive).

---

Nitpick comments:
In `@go.mod`:
- Around line 9-10: Update the inline comment above the github.com/openshift/api
dependency in go.mod so it reflects the actual target branch release-4.21
(instead of stale release-4.20) to match the bumped dependency version; locate
the comment near the github.com/openshift/api v0.0.0-20260304172252-b0658d22beea
entry and change the branch name text to release-4.21.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d0eebf58-f13f-4c9d-95ae-d5753bc60056

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff0e6b and f94bc6f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[MatousJobanek]

Suggested change

	// using latest commit from 'github.com/openshift/api branch release-4.20'
	// using latest commit from 'github.com/openshift/api branch release-4.21'

[MatousJobanek]

out of curiosity, why not using v0.34.4 version?
Also these seems to be a mismatch between this repo and the other ones. I know that it's a z-stream, so it should be just a detail, but let's try to keep it consistent

[rsoaresd]

+1 regarding keeping the same version in each repo

However, I have a concern. Openshift 4.21 uses k8s 1.34 but operator-sdk latest tag 1.42.1 still uses 1.33.

According to Kanika's guideline:

In the case that the Kubernetes version is not the same in the above two projects, then either use the smaller version of the two in which case the dependencies may not be the most up to date or wait for a version of the project that both support the same Kubernetes version.

[metlos]

yep, I noticed this, too. Should be fixed now and everything should be using the exact versions as the versions in OCP 4.21. That uses k8s* v0.34.1, so I wanted to be exact to limit the possibility of surprise.

[rsoaresd]

How did you "pick" this version? (Asking for learning purposes, I usually align with operator-sdk)

[rsoaresd]

@metlos sorry for questing a lot the versions, just asking to understand and for learning purposes as well. How did you get the sigs.k8s.io/controller-tools version?

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 13: The go.mod currently pins k8s.io/code-generator to v0.33.4 which is
incompatible with k8s.io/api and k8s.io/apimachinery at v0.34.1; update the
module requirement for k8s.io/code-generator to v0.34.1 in go.mod (replace the
existing k8s.io/code-generator v0.33.4 entry with v0.34.1), then run go mod tidy
and regenerate any code (deepcopy/client/informer) that depends on the
code-generator to ensure all Kubernetes staging repos use the matching v0.34.1
version.
- Line 60: go.mod currently pulls sigs.k8s.io/structured-merge-diff/v6@v6.3.0
which is incompatible with sigs.k8s.io/controller-runtime@v0.21.0 (which expects
structured-merge-diff v4.x); fix by making versions consistent: either pin
sigs.k8s.io/structured-merge-diff to the v4 series expected by
controller-runtime (e.g., v4.6.0) or upgrade sigs.k8s.io/controller-runtime to a
release that explicitly supports structured-merge-diff v6, then run `go mod
tidy` and `go test` to verify no API breakage (refer to the module names
sigs.k8s.io/structured-merge-diff/v6 and sigs.k8s.io/controller-runtime in the
diff).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 521c0272-792e-40fe-8c1a-2cb534a41b21

📥 Commits

Reviewing files that changed from the base of the PR and between 6d468a1 and d8e6b4c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check which dependency requires structured-merge-diff/v6

go mod graph | grep "structured-merge-diff"

# Verify compatibility with controller-runtime
go mod graph | grep "controller-runtime.*structured-merge-diff"

Repository: codeready-toolchain/api

Length of output: 1457

---

🌐 Web query:

What are the breaking changes in sigs.k8s.io/structured-merge-diff from v4 to v6?

💡 Result:

Breaking changes when upgrading sigs.k8s.io/structured-merge-diff from v4.x to v6.x:

1. Go module / import path changed (major-version suffix)

• Update imports from sigs.k8s.io/structured-merge-diff/v4/... to sigs.k8s.io/structured-merge-diff/v6/... (the module path in go.mod is different). [1], [2]

2. Removal (unexporting) of JSON-iter-based public APIs

• In v4, the value package publicly exposed json-iterator types in its API surface (e.g. ReadJSONIter(*jsoniter.Iterator) and WriteJSONStream(..., *jsoniter.Stream)). [3]
• In v6.0.0, these were unexported/removed from the public API specifically to enable migration away from the unmaintained json-iterator library. [4]
• As a result, code calling those functions must switch to the remaining supported helpers like value.FromJSON / value.FromJSONFast and value.ToJSON (which don’t require json-iter types). [5]

Sources
[1] https://raw.githubusercontent.com/kubernetes-sigs/structured-merge-diff/v4.7.0/go.mod
[2] https://raw.githubusercontent.com/kubernetes-sigs/structured-merge-diff/v6.0.0/go.mod
[3] https://pkg.go.dev/sigs.k8s.io/structured-merge-diff/v4/value
[4] https://github.com/kubernetes-sigs/structured-merge-diff/releases/tag/v6.0.0
[5] https://pkg.go.dev/sigs.k8s.io/structured-merge-diff/v6/value

---

Critical: Version conflict with controller-runtime — structured-merge-diff/v6 incompatible with controller-runtime/v0.21.0

The go.mod specifies sigs.k8s.io/structured-merge-diff/v6@v6.3.0, but sigs.k8s.io/controller-runtime@v0.21.0 (your direct dependency at line 47) requires v4.6.0. While Go's module system resolves this to v6 (highest version), this creates a compatibility gap: structured-merge-diff v6 removed public JSON-iterator-based APIs that were present in v4. If controller-runtime attempts to call these removed APIs, it will fail at runtime.

Either downgrade structured-merge-diff/v6 back to v4, or upgrade controller-runtime to a version compatible with v6 (and verify all K8s API packages use consistent versions).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 60, go.mod currently pulls
sigs.k8s.io/structured-merge-diff/v6@v6.3.0 which is incompatible with
sigs.k8s.io/controller-runtime@v0.21.0 (which expects structured-merge-diff
v4.x); fix by making versions consistent: either pin
sigs.k8s.io/structured-merge-diff to the v4 series expected by
controller-runtime (e.g., v4.6.0) or upgrade sigs.k8s.io/controller-runtime to a
release that explicitly supports structured-merge-diff v6, then run `go mod
tidy` and `go test` to verify no API breakage (refer to the module names
sigs.k8s.io/structured-merge-diff/v6 and sigs.k8s.io/controller-runtime in the
diff).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud