[SANDBOX-1702] Upgrade to OCP 4.21

[metlos]

Related PRs:

• [SANDBOX-1701] chore: upgrade to OCP 4.21 dependencies toolchain-common#522
• [SANDBOX-1700] chore: upgrade to OCP 4.21 dependencies api#501

Summary by CodeRabbit

• Chores

  • Upgraded Kubernetes, OpenShift and controller/tooling libraries and refreshed numerous indirect dependencies.
  • Updated CRD metadata annotations to the newer controller-gen version and adjusted local module mappings.

• Tests

  • Updated tests to expect the revised API validation error message format (now includes full resource type).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated controller-gen CRD annotation values from v0.18.0 → v0.19.0 across CRD manifests, adjusted one test's expected error string, and upgraded multiple Go module dependencies including Kubernetes libs, controller-tools, Prometheus, OpenShift libs, plus added replace directives remapping codeready-toolchain modules.

Changes

Cohort / File(s)	Summary
CRD Version Annotations config/crd/bases/toolchain.dev.openshift.com_bannedusers.yaml, config/crd/bases/toolchain.dev.openshift.com_masteruserrecords.yaml, config/crd/bases/toolchain.dev.openshift.com_notifications.yaml, config/crd/bases/toolchain.dev.openshift.com_nstemplatetiers.yaml, config/crd/bases/toolchain.dev.openshift.com_proxyplugins.yaml, config/crd/bases/toolchain.dev.openshift.com_socialevents.yaml, config/crd/bases/toolchain.dev.openshift.com_spacebindingrequests.yaml, config/crd/bases/toolchain.dev.openshift.com_spacebindings.yaml, config/crd/bases/toolchain.dev.openshift.com_spaceprovisionerconfigs.yaml, config/crd/bases/toolchain.dev.openshift.com_spacerequests.yaml, config/crd/bases/toolchain.dev.openshift.com_spaces.yaml, config/crd/bases/toolchain.dev.openshift.com_tiertemplaterevisions.yaml, config/crd/bases/toolchain.dev.openshift.com_tiertemplates.yaml, config/crd/bases/toolchain.dev.openshift.com_toolchainclusters.yaml, config/crd/bases/toolchain.dev.openshift.com_toolchainconfigs.yaml, config/crd/bases/toolchain.dev.openshift.com_toolchainstatuses.yaml, config/crd/bases/toolchain.dev.openshift.com_usersignups.yaml, config/crd/bases/toolchain.dev.openshift.com_usertiers.yaml	Changed metadata.annotations["controller-gen.kubebuilder.io/version"] from v0.18.0 to v0.19.0 in all listed CRD manifests; no schema or behavioral changes.
Test Assertion Update controllers/usersignup/status_updater_test.go	Updated expected error string to include full resource type UserSignup.toolchain.dev.openshift.com in the test assertion.
Dependency & Module Changes go.mod	Bumped many dependencies: Kubernetes modules to v0.34.1, sigs.k8s.io/controller-tools → v0.19.0, github.com/prometheus/client_golang → v1.23.2, OpenShift libs to release-4.21 refs, refreshed numerous indirects, removed an indirect, and added replace directives mapping github.com/codeready-toolchain/* → github.com/metlos/*.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main objective of the PR: upgrading to OCP 4.21, which aligns with the go.mod dependency updates and CRD annotation changes throughout the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 160-162: Remove the two replace directives that point
github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to your personal fork
(github.com/metlos/*); specifically delete the replace lines referencing
github.com/metlos/api and github.com/metlos/toolchain-common from go.mod so the
project uses the upstream modules again, and if the fork is required only for
temporary local development, move those replaces into a local branch or
developer-specific go.mod/go.work and add a comment or README entry describing
the temporary nature and cleanup plan.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 622badbb-6de9-47e6-b574-d8021dc2183e

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff1ff9 and bc31e34.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (20)

• config/crd/bases/toolchain.dev.openshift.com_bannedusers.yaml
• config/crd/bases/toolchain.dev.openshift.com_masteruserrecords.yaml
• config/crd/bases/toolchain.dev.openshift.com_notifications.yaml
• config/crd/bases/toolchain.dev.openshift.com_nstemplatetiers.yaml
• config/crd/bases/toolchain.dev.openshift.com_proxyplugins.yaml
• config/crd/bases/toolchain.dev.openshift.com_socialevents.yaml
• config/crd/bases/toolchain.dev.openshift.com_spacebindingrequests.yaml
• config/crd/bases/toolchain.dev.openshift.com_spacebindings.yaml
• config/crd/bases/toolchain.dev.openshift.com_spaceprovisionerconfigs.yaml
• config/crd/bases/toolchain.dev.openshift.com_spacerequests.yaml
• config/crd/bases/toolchain.dev.openshift.com_spaces.yaml
• config/crd/bases/toolchain.dev.openshift.com_tiertemplaterevisions.yaml
• config/crd/bases/toolchain.dev.openshift.com_tiertemplates.yaml
• config/crd/bases/toolchain.dev.openshift.com_toolchainclusters.yaml
• config/crd/bases/toolchain.dev.openshift.com_toolchainconfigs.yaml
• config/crd/bases/toolchain.dev.openshift.com_toolchainstatuses.yaml
• config/crd/bases/toolchain.dev.openshift.com_usersignups.yaml
• config/crd/bases/toolchain.dev.openshift.com_usertiers.yaml
• controllers/usersignup/status_updater_test.go
• go.mod

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, metlos

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,metlos]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[metlos]

/retest

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 160-162: The go.mod contains replace directives redirecting
github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to github.com/metlos/* forks;
either remove these replace lines if they are no longer required, or annotate
them with a clear inline comment explaining they are temporary (e.g., "TODO:
remove replace when upstream PRs X and Y are merged") and reference the
coordinating PRs/issue IDs and expected cleanup timeline so reviewers know why
github.com/metlos/api and github.com/metlos/toolchain-common are used.
- Line 140: go.mod currently lists google.golang.org/grpc only as an indirect
v1.72.1 which has a critical vulnerability; add an explicit require for
google.golang.org/grpc v1.79.3 in the go.mod require block (or add it alongside
existing requires) to force the dependency upgrade so the patched gRPC version
is used across the dependency tree.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 1258d223-c5de-493d-8d37-793dd84f86e3

📥 Commits

Reviewing files that changed from the base of the PR and between bc31e34 and 86d84a8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for documentation of temporary replace directives and similar patterns in other repos

echo "== Checking for TODO/FIXME/TEMPORARY comments near replace directives =="
rg -n -B2 -A2 '^\s*replace\s+github\.com/codeready-toolchain' go.mod

echo -e "\n== Checking PR-related PRs for status =="
# Check if related PRs are mentioned in docs
rg -n 'toolchain-common.*522|api.*501' -g '*.md' -g 'go.mod'

Repository: codeready-toolchain/host-operator

Length of output: 465

---

🏁 Script executed:

#!/bin/bash
# Check the git history and current state of replace directives
echo "=== Check if replace directives are in the original go.mod before this PR ==="
# List recent go.mod modifications
git log --oneline -10 -- go.mod 2>/dev/null | head -5

echo -e "\n=== Check full go.mod context around replace directives ==="
sed -n '155,165p' go.mod

Repository: codeready-toolchain/host-operator

Length of output: 525

---

🏁 Script executed (no clone):

#!/bin/bash
# Search web for recent toolchain-common and api PR discussions related to version upgrades
# This helps verify if the mentioned PRs (`#522`, `#501`) are real and their purpose
echo "Note: Cannot directly access GitHub PR URLs without authenticated API, but the presence of"
echo "metlos forks with specific commit hashes (b79d7632f264, 9f768c4ff11c) suggests these are"
echo "deliberate fork references, likely for coordinating multi-repo changes."

Length of output: 282

---

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation about the replace directives in README or other docs
echo "=== Searching for any explanation of the replace directives in documentation ==="
find . -maxdepth 2 -name "*.md" -type f | xargs rg -l "replace|fork|metlos" 2>/dev/null || echo "No matches found"

echo -e "\n=== Check go.mod comments ==="
# Look for any comments in go.mod explaining the replace directives
grep -n "^//" go.mod | tail -20

Repository: codeready-toolchain/host-operator

Length of output: 630

---

Document or remove undocumented fork overrides.

The replace directives for codeready-toolchain/api and codeready-toolchain/toolchain-common (lines 160, 162) redirect to personal forks (github.com/metlos/*) with no inline documentation, cleanup plan, or explanation. This creates a trust boundary concern and risks unintended merges of work-in-progress versions. Either:

1. Add a comment documenting their temporary nature and referencing dependent upstream work (e.g., "TODO: Remove once coordinating PRs are merged"), or
2. Remove them if they are no longer needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 160 - 162, The go.mod contains replace directives
redirecting github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to github.com/metlos/* forks;
either remove these replace lines if they are no longer required, or annotate
them with a clear inline comment explaining they are temporary (e.g., "TODO:
remove replace when upstream PRs X and Y are merged") and reference the
coordinating PRs/issue IDs and expected cleanup timeline so reviewers know why
github.com/metlos/api and github.com/metlos/toolchain-common are used.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

go.mod (2)

160-162: ⚠️ Potential issue | 🟠 Major

Fork replacements remain undocumented.

This concern has been raised multiple times in previous reviews. While these replace directives may be necessary for coordinating the multi-repo upgrade (related PRs #522, #501), they still lack inline documentation explaining their temporary nature and cleanup plan.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 160 - 162, The replace directives for modules
github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common in go.mod are undocumented; add
an inline comment above each replace explaining that these are temporary fork
replacements, reference the coordinating PRs (`#522`, `#501`), state the intended
cleanup action (remove the replace once upstream versions are published), and
include an owner and expected timeline (e.g., who will remove them and target
date/condition) so reviewers know they are not permanent.

---

140-140: ⚠️ Potential issue | 🔴 Critical

Critical gRPC vulnerability persists.

This concern was already raised in a previous review: google.golang.org/grpc v1.72.1 contains CVE-2026-33186, a critical authorization bypass vulnerability. The fix requires v1.79.3 or later. Add an explicit require directive to force the upgrade.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 140, The go.mod currently lists google.golang.org/grpc
v1.72.1 (indirect) which contains CVE-2026-33186; add an explicit require
directive for google.golang.org/grpc at v1.79.3 (or newer) to force the upgrade,
then run go mod tidy (or go get google.golang.org/grpc@v1.79.3) to update the
module graph and vendor files so the project no longer pulls the vulnerable
v1.72.1 version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 24-27: The go.mod now depends on k8s.io/* v0.34.1 but the linked
toolchain-common module still uses k8s v0.33.4; update the toolchain-common
dependency to a version that also uses k8s v0.34.x (or merge/coordinate the
companion PR in toolchain-common that bumps its k8s.io/* deps to v0.34.1), and
remove or adjust any temporary fork/replace directives that mask the mismatch so
the final go.mod and the toolchain-common module consistently use k8s v0.34.1 to
avoid type/client conflicts.

---

Duplicate comments:
In `@go.mod`:
- Around line 160-162: The replace directives for modules
github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common in go.mod are undocumented; add
an inline comment above each replace explaining that these are temporary fork
replacements, reference the coordinating PRs (`#522`, `#501`), state the intended
cleanup action (remove the replace once upstream versions are published), and
include an owner and expected timeline (e.g., who will remove them and target
date/condition) so reviewers know they are not permanent.
- Line 140: The go.mod currently lists google.golang.org/grpc v1.72.1 (indirect)
which contains CVE-2026-33186; add an explicit require directive for
google.golang.org/grpc at v1.79.3 (or newer) to force the upgrade, then run go
mod tidy (or go get google.golang.org/grpc@v1.79.3) to update the module graph
and vendor files so the project no longer pulls the vulnerable v1.72.1 version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b5358657-70c9-46b3-b7c7-24d89f6c736c

📥 Commits

Reviewing files that changed from the base of the PR and between 86d84a8 and 45ca59b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

♻️ Duplicate comments (3)

go.mod (3)

160-162: 🛠️ Refactor suggestion | 🟠 Major

Remove or tightly justify personal fork replace directives before merge.

Root go.mod currently redirects core modules to github.com/metlos/*. That alters the dependency trust boundary and can hide upstream integration regressions. If this is temporary for coordinated PR testing, it needs explicit expiry/cleanup notes and should not remain in the merge target.

Suggested change

-replace github.com/codeready-toolchain/api => github.com/metlos/api v0.0.0-20260327105121-b79d7632f264
-
-replace github.com/codeready-toolchain/toolchain-common => github.com/metlos/toolchain-common v0.0.0-20260327131152-458d0e3f354d

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 160 - 162, The go.mod contains replace directives
redirecting github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to personal forks
(github.com/metlos/*), which changes the dependency trust boundary; remove these
replace directives or document and tightly justify them with an explicit
temporary note and expiry if they are required for coordinated testing. Locate
the two replace lines referencing "github.com/codeready-toolchain/api =>
github.com/metlos/api" and "github.com/codeready-toolchain/toolchain-common =>
github.com/metlos/toolchain-common" and either delete them so the module uses
upstream versions, or add a clear comment and revert plan (date/PR) plus a short
justification in the PR description so the change is auditable before merging.

---

140-140: ⚠️ Potential issue | 🔴 Critical

Upgrade google.golang.org/grpc to a patched version immediately.

v1.72.1 is flagged as vulnerable (authorization bypass: GHSA-p77j-4mvh-x3m3 / GO-2026-4762). This should be forced to a fixed release via explicit require (or by upgrading the parent module that pins it).

What is the fixed version range for google.golang.org/grpc vulnerability GHSA-p77j-4mvh-x3m3 (GO-2026-4762), and does v1.72.1 remain affected?

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 140, The go.mod currently lists google.golang.org/grpc
v1.72.1 which is flagged vulnerable; update go.mod to explicitly require a
patched grpc release (replace or add a require for google.golang.org/grpc at the
fixed version from the security advisory) and run go mod tidy to ensure the new
version is picked; note that v1.72.1 remains affected so do not keep it — pick
the minimum patched release indicated in the GHSA advisory (or the latest grpc
patch) and re-run your build/tests to verify no regressions.

---

24-31: ⚠️ Potential issue | 🟠 Major

Verify dependency alignment: k8s.io/* v0.34.1 with controller-runtime v0.21.0 and forked toolchain-common.

The PR bumps k8s.io/* to v0.34.1, but sigs.k8s.io/controller-runtime is still v0.21.0, and integration currently depends on fork replacements. This combination can mask compatibility issues until replaces are removed.

Which Kubernetes minor version does sigs.k8s.io/controller-runtime v0.21.0 officially target, and is it compatible with k8s.io/* v0.34.x?

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

Also applies to: 160-162

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 24 - 31, The go.mod currently lists k8s.io/* at v0.34.1
while keeping sigs.k8s.io/controller-runtime at v0.21.0 and using forked
replaces; verify and align these dependencies by checking which Kubernetes
minor/controller-runtime release pairing is officially supported, then either
bump sigs.k8s.io/controller-runtime to a release that is officially compatible
with k8s.io v0.34.1 or roll k8s.io/* back to the controller-runtime-supported
versions, remove the forked replaces (toolchain-common) and run go mod tidy +
unit/integration tests to ensure no compatibility breakage; look specifically at
the go.mod entries for k8s.io/* and sigs.k8s.io/controller-runtime to make the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Around line 160-162: The go.mod contains replace directives redirecting
github.com/codeready-toolchain/api and
github.com/codeready-toolchain/toolchain-common to personal forks
(github.com/metlos/*), which changes the dependency trust boundary; remove these
replace directives or document and tightly justify them with an explicit
temporary note and expiry if they are required for coordinated testing. Locate
the two replace lines referencing "github.com/codeready-toolchain/api =>
github.com/metlos/api" and "github.com/codeready-toolchain/toolchain-common =>
github.com/metlos/toolchain-common" and either delete them so the module uses
upstream versions, or add a clear comment and revert plan (date/PR) plus a short
justification in the PR description so the change is auditable before merging.
- Line 140: The go.mod currently lists google.golang.org/grpc v1.72.1 which is
flagged vulnerable; update go.mod to explicitly require a patched grpc release
(replace or add a require for google.golang.org/grpc at the fixed version from
the security advisory) and run go mod tidy to ensure the new version is picked;
note that v1.72.1 remains affected so do not keep it — pick the minimum patched
release indicated in the GHSA advisory (or the latest grpc patch) and re-run
your build/tests to verify no regressions.
- Around line 24-31: The go.mod currently lists k8s.io/* at v0.34.1 while
keeping sigs.k8s.io/controller-runtime at v0.21.0 and using forked replaces;
verify and align these dependencies by checking which Kubernetes
minor/controller-runtime release pairing is officially supported, then either
bump sigs.k8s.io/controller-runtime to a release that is officially compatible
with k8s.io v0.34.1 or roll k8s.io/* back to the controller-runtime-supported
versions, remove the forked replaces (toolchain-common) and run go mod tidy +
unit/integration tests to ensure no compatibility breakage; look specifically at
the go.mod entries for k8s.io/* and sigs.k8s.io/controller-runtime to make the
change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c22c1840-ad75-4333-acb6-d569b12ce1d5

📥 Commits

Reviewing files that changed from the base of the PR and between 45ca59b and 561deef.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

go.mod (2)

160-162: ⚠️ Potential issue | 🟠 Major

Avoid merging personal-fork replace directives in root go.mod.

Lines 160 and 162 redirect core dependencies to github.com/metlos/*. This weakens supply-chain trust and reproducibility unless clearly temporary and tightly documented.

Safer merge-ready option

-replace github.com/codeready-toolchain/api => github.com/metlos/api v0.0.0-20260327105121-b79d7632f264
-
-replace github.com/codeready-toolchain/toolchain-common => github.com/metlos/toolchain-common v0.0.0-20260407101204-7a27a3b307f9

If temporary forks are required, keep them local (go.work/developer branch) and link cleanup to the upstream PR merge state.

As per coding guidelines, "-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 160 - 162, The root go.mod contains permanent replace
directives pointing to personal forks ("replace
github.com/codeready-toolchain/api => github.com/metlos/api ..." and "replace
github.com/codeready-toolchain/toolchain-common =>
github.com/metlos/toolchain-common ..."); remove these replace lines from go.mod
before merging and, if the forks are temporarily required for local development,
move them into a developer-only go.work or document them in a short README on
the branch and link their cleanup to the upstream PR; ensure the replace
directives are not present in the committed root go.mod and verify builds
against upstream module versions instead.

---

140-140: ⚠️ Potential issue | 🔴 Critical

Upgrade vulnerable gRPC dependency immediately.

google.golang.org/grpc v1.72.1 on Line 140 is flagged with a critical auth-bypass advisory (GHSA-p77j-4mvh-x3m3 / GO-2026-4762). Pin a patched version explicitly.

Suggested fix

 require (
+	google.golang.org/grpc v1.79.3
 	cloud.google.com/go/recaptchaenterprise/v2 v2.13.0
 	github.com/codeready-toolchain/api v0.0.0-20260305144020-4ff0e6b6e174
 	...
 )
@@
-	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/grpc v1.79.3 // indirect

What is the first fixed grpc-go version for GHSA-p77j-4mvh-x3m3 (CVE-2026-33186), and is v1.72.1 affected?

As per coding guidelines, "-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 140, The go.mod entry for the vulnerable module
google.golang.org/grpc is pinned to v1.72.1 which is affected by the GHSA/G0
advisory; update the module to the first fixed grpc-go release that patches
GHSA-p77j-4mvh-x3m3 (CVE-2026-33186) by replacing the google.golang.org/grpc
v1.72.1 line with the patched version (or a later non-vulnerable release), then
run module resolution (go get <module>@<fixed-version> and go mod tidy) and
verify the dependency now resolves to the fixed release to ensure the
vulnerability is remediated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 24-30: Update the sigs.k8s.io/controller-runtime dependency to
v0.22.0 in go.mod to match the k8s.io v0.34.1 clients (replace the existing
sigs.k8s.io/controller-runtime v0.21.0 entry with v0.22.0), then run go mod tidy
and rebuild to ensure transitive deps are resolved and there are no API
incompatibilities with controller-runtime APIs used in your
controllers/reconciler code.

---

Duplicate comments:
In `@go.mod`:
- Around line 160-162: The root go.mod contains permanent replace directives
pointing to personal forks ("replace github.com/codeready-toolchain/api =>
github.com/metlos/api ..." and "replace
github.com/codeready-toolchain/toolchain-common =>
github.com/metlos/toolchain-common ..."); remove these replace lines from go.mod
before merging and, if the forks are temporarily required for local development,
move them into a developer-only go.work or document them in a short README on
the branch and link their cleanup to the upstream PR; ensure the replace
directives are not present in the committed root go.mod and verify builds
against upstream module versions instead.
- Line 140: The go.mod entry for the vulnerable module google.golang.org/grpc is
pinned to v1.72.1 which is affected by the GHSA/G0 advisory; update the module
to the first fixed grpc-go release that patches GHSA-p77j-4mvh-x3m3
(CVE-2026-33186) by replacing the google.golang.org/grpc v1.72.1 line with the
patched version (or a later non-vulnerable release), then run module resolution
(go get <module>@<fixed-version> and go mod tidy) and verify the dependency now
resolves to the fixed release to ensure the vulnerability is remediated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 7b36253c-9ce0-46e8-a678-01749133b574

📥 Commits

Reviewing files that changed from the base of the PR and between 561deef and c974b16.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What Kubernetes minor versions are supported by sigs.k8s.io/controller-runtime v0.21.0, and does it support k8s.io/* v0.34.x?

💡 Result:

• sigs.k8s.io/controller-runtime v0.21.0 is supported/tested with k8s.io/* (and client-go) v0.33.x, i.e. the Kubernetes 1.33 library set. [1][2][3]
• No—v0.21.0 does not support k8s.io/* v0.34.x (that’s the pairing for controller-runtime v0.22). [1][2]

Sources:
[1] controller-runtime compatibility table on pkg.go.dev (pkg.go.dev)
[2] controller-runtime v0.21.0 go.mod (pins k8s.io/* to v0.33.0) (raw.githubusercontent.com)
[3] controller-runtime releases note (“Bump to Kubernetes v1.33 libraries”) (github.com)
[4] client-go INSTALL doc noting client-go versions align with Kubernetes versions (fossies.org)

Citations:

• 1: https://pkg.go.dev/sigs.k8s.io/controller-runtime
• 2: https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.21.0/go.mod
• 3: https://github.com/kubernetes-sigs/controller-runtime/releases?utm_source=openai
• 4: https://fossies.org/linux/misc/kubernetes-1.32.7.tar.gz/kubernetes-1.32.7/staging/src/k8s.io/client-go/INSTALL.md?utm_source=openai

---

🏁 Script executed:

#!/bin/bash
# Check the current state of go.mod to verify controller-runtime version
sed -n '20,35p' go.mod

Repository: codeready-toolchain/host-operator

Length of output: 489

---

Upgrade sigs.k8s.io/controller-runtime to v0.22.0.

You upgraded k8s.io/* to v0.34.1 but left sigs.k8s.io/controller-runtime at v0.21.0. Controller-runtime v0.21.0 is only compatible with Kubernetes v0.33.x; v0.34.x requires controller-runtime v0.22.0. This version skew will cause API incompatibilities and build failures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 24 - 30, Update the sigs.k8s.io/controller-runtime
dependency to v0.22.0 in go.mod to match the k8s.io v0.34.1 clients (replace the
existing sigs.k8s.io/controller-runtime v0.21.0 entry with v0.22.0), then run go
mod tidy and rebuild to ensure transitive deps are resolved and there are no API
incompatibilities with controller-runtime APIs used in your
controllers/reconciler code.

[metlos]

/retest

[metlos]

Not sure what happened in https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/codeready-toolchain_host-operator/1250/pull-ci-codeready-toolchain-host-operator-master-e2e/2041778605238784000.

The e2e tests are passing locally using make clean-e2e-resources test-e2e-host-local DISABLE_KUBE_CLIENT_TLS_VERIFY=true

/retest

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[metlos]

Postponed until operator-sdk is upgradable, too.