Fix/4477 regen and vet#4479
Merged
ValClarkson merged 2 commits intoMay 13, 2026
Merged
Conversation
andrewlecuyer
approved these changes
May 13, 2026
Bumps the kubernetes group with 4 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/client-go](https://github.com/kubernetes/client-go), [k8s.io/component-base](https://github.com/kubernetes/component-base) and [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime). Updates `k8s.io/api` from 0.35.2 to 0.36.0 - [Commits](kubernetes/api@v0.35.2...v0.36.0) Updates `k8s.io/apimachinery` from 0.35.2 to 0.36.0 - [Commits](kubernetes/apimachinery@v0.35.2...v0.36.0) Updates `k8s.io/client-go` from 0.35.2 to 0.36.0 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.2...v0.36.0) Updates `k8s.io/component-base` from 0.35.2 to 0.36.0 - [Commits](kubernetes/component-base@v0.35.2...v0.36.0) Updates `k8s.io/klog/v2` from 2.130.1 to 2.140.0 - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md) - [Commits](kubernetes/klog@v2.130.1...2.140.0) Updates `k8s.io/kube-openapi` from 0.0.0-20250910181357-589584f1c912 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.24.0 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.24.0) --- updated-dependencies: - dependency-name: k8s.io/api dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: kubernetes - dependency-name: k8s.io/apimachinery dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: kubernetes - dependency-name: k8s.io/client-go dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: kubernetes - dependency-name: k8s.io/component-base dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: kubernetes - dependency-name: k8s.io/klog/v2 dependency-version: 2.140.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: kubernetes - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: kubernetes - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: kubernetes ... Signed-off-by: dependabot[bot] <support@github.com>
Following the kubernetes group bump to 0.36.0: - Regenerate CRDs to drop the stale `ProcMountType` feature-flag description (the feature was promoted to GA in upstream Kubernetes 1.36, so the description text was simplified). - Fix a pre-existing printf-style call to `EventRecorder.Eventf` that passed `repoName` as a vararg without a matching format directive. Go 1.26's stricter vet (now in use after the go.mod toolchain bump) flags this; older vet did not.
ValClarkson
force-pushed
the
fix/4477-regen-and-vet
branch
from
609c55b to
b3ebeb6
Compare
ValClarkson
added a commit
to ValClarkson/postgres-operator
that referenced
this pull request
May 13, 2026
govulncheck reports DoS vulnerabilities in golang.org/x/net/http2 (http2.Transport.RoundTrip, NewClientConn, unencryptedTransport.RoundTrip, noDialH2RoundTripper.RoundTrip) that are reached via Kubernetes' discovery client. The fix is in x/net v0.51.0+ for CVE-2026-27141 and later versions for follow-on HTTP/2 hardening (e.g. CVE-2026-33814 fixes). Bumping x/net to v0.54.0 (the latest release as of Apr 2026) also pulls in the matching versions of the other golang.org/x/* dependencies it relies on (crypto, mod, sync, sys, term, text, tools). All are minor bumps within the x/ family and contain no API breakage. Rebased on top of CrunchyData#4479 (Kubernetes 0.36.0 / controller-runtime 0.24.0). Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
to ValClarkson/postgres-operator
that referenced
this pull request
May 13, 2026
…troller-runtime 0.24 The kubernetes group bump to 0.36.0 (CrunchyData#4479) introduced a new v1.PersistentVolumeClaimConditionType ("Unused") that triggers the exhaustive linter on the PVC condition switch in volumes.go. Add it to the existing no-op case alongside the other condition types that have no bearing on volume resizing. The bump also surfaced two staticcheck SA1019 deprecation warnings that block CI on every PR until addressed: - controller-runtime 0.24 deprecated scheme.Builder (used by both v1 and v1beta1 groupversion_info.go). Migrating to the new helper requires restructuring our api packages, so suppress the warning for now and leave a TODO via the comment. - k8s.io/apimachinery 0.36 deprecated direct access to managed.FieldsV1.Raw in favor of GetRawBytes/SetRawBytes. Only apply_test.go uses the old field; suppress until the test is rewritten against the new helpers. These exclusions are scoped narrowly via path patterns so other call sites (if any) still get flagged. Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
that referenced
this pull request
May 13, 2026
govulncheck reports DoS vulnerabilities in golang.org/x/net/http2 (http2.Transport.RoundTrip, NewClientConn, unencryptedTransport.RoundTrip, noDialH2RoundTripper.RoundTrip) that are reached via Kubernetes' discovery client. The fix is in x/net v0.51.0+ for CVE-2026-27141 and later versions for follow-on HTTP/2 hardening (e.g. CVE-2026-33814 fixes). Bumping x/net to v0.54.0 (the latest release as of Apr 2026) also pulls in the matching versions of the other golang.org/x/* dependencies it relies on (crypto, mod, sync, sys, term, text, tools). All are minor bumps within the x/ family and contain no API breakage. Rebased on top of #4479 (Kubernetes 0.36.0 / controller-runtime 0.24.0). Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
that referenced
this pull request
May 13, 2026
…troller-runtime 0.24 The kubernetes group bump to 0.36.0 (#4479) introduced a new v1.PersistentVolumeClaimConditionType ("Unused") that triggers the exhaustive linter on the PVC condition switch in volumes.go. Add it to the existing no-op case alongside the other condition types that have no bearing on volume resizing. The bump also surfaced two staticcheck SA1019 deprecation warnings that block CI on every PR until addressed: - controller-runtime 0.24 deprecated scheme.Builder (used by both v1 and v1beta1 groupversion_info.go). Migrating to the new helper requires restructuring our api packages, so suppress the warning for now and leave a TODO via the comment. - k8s.io/apimachinery 0.36 deprecated direct access to managed.FieldsV1.Raw in favor of GetRawBytes/SetRawBytes. Only apply_test.go uses the old field; suppress until the test is rewritten against the new helpers. These exclusions are scoped narrowly via path patterns so other call sites (if any) still get flagged. Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
to ValClarkson/postgres-operator
that referenced
this pull request
May 13, 2026
…OTel Now that the x/net CVE fix (CrunchyData#4481) and the k8s 0.36.0 / controller-runtime 0.24.0 jump (CrunchyData#4479) are on main, this finishes the planned upgrade pass with patch bumps and the Go toolchain bump: * Go 1.26.0 -> 1.26.3 (go directive only; e2e CI still installs Go 1.25.x for kuttl/chainsaw which depend on testDeps.ModulePath at the older toolchain). * k8s.io/api, apimachinery, client-go 0.36.0 -> 0.36.1 * sigs.k8s.io/controller-runtime 0.24.0 -> 0.24.1 * go.opentelemetry.io/otel{,/sdk,/trace,/metric,/log,/sdk/log,/sdk/metric} 1.42.0 -> 1.43.0 (and matching otlp/* exporters; stdout* and log* sub- modules to v0.19.0 / v1.43.0 / v0.65.0 as appropriate). * go.opentelemetry.io/contrib/{exporters/autoexport,instrumentation/net/http/ otelhttp,propagators/autoprop,bridges/prometheus,propagators/{aws,b3, jaeger,ot}} 0.67.0/1.42.0 -> 0.68.0/1.43.0. These are all patch / minor bumps within their respective stable lines. 'go mod tidy', 'go build ./...', 'go vet ./...', 'make generate', and 'golangci-lint run' all pass cleanly with no source changes required. Supersedes the Dependabot PRs CrunchyData#4475, CrunchyData#4477, CrunchyData#4478 and the older snapshot of CrunchyData#4483. Signed-off-by: ValClarkson <valerie.clarkson@crunchydata.com>
ValClarkson
added a commit
that referenced
this pull request
May 13, 2026
…OTel Now that the x/net CVE fix (#4481) and the k8s 0.36.0 / controller-runtime 0.24.0 jump (#4479) are on main, this finishes the planned upgrade pass with patch bumps and the Go toolchain bump: * Go 1.26.0 -> 1.26.3 (go directive only; e2e CI still installs Go 1.25.x for kuttl/chainsaw which depend on testDeps.ModulePath at the older toolchain). * k8s.io/api, apimachinery, client-go 0.36.0 -> 0.36.1 * sigs.k8s.io/controller-runtime 0.24.0 -> 0.24.1 * go.opentelemetry.io/otel{,/sdk,/trace,/metric,/log,/sdk/log,/sdk/metric} 1.42.0 -> 1.43.0 (and matching otlp/* exporters; stdout* and log* sub- modules to v0.19.0 / v1.43.0 / v0.65.0 as appropriate). * go.opentelemetry.io/contrib/{exporters/autoexport,instrumentation/net/http/ otelhttp,propagators/autoprop,bridges/prometheus,propagators/{aws,b3, jaeger,ot}} 0.67.0/1.42.0 -> 0.68.0/1.43.0. These are all patch / minor bumps within their respective stable lines. 'go mod tidy', 'go build ./...', 'go vet ./...', 'make generate', and 'golangci-lint run' all pass cleanly with no source changes required. Supersedes the Dependabot PRs #4475, #4477, #4478 and the older snapshot of #4483. Signed-off-by: ValClarkson <valerie.clarkson@crunchydata.com>
ValClarkson
added a commit
that referenced
this pull request
May 14, 2026
The e2e-k3d-chainsaw and e2e-k3d-kuttl jobs were pinned to Go 1.25.x with
a TODO noting that chainsaw/kuttl were missing the new testDeps.ModulePath
introduced by Go 1.26. Both projects have since shipped releases that
require go >= 1.26.0:
* github.com/kudobuilder/kuttl v0.26.0 -> go 1.26.0
* github.com/kyverno/chainsaw (main) -> go 1.26.0
actions/setup-go@v6 sets GOTOOLCHAIN=local when an explicit version is
requested, so the pinned 1.25.x runner cannot auto-upgrade to satisfy
those modules and the e2e jobs fail with:
go: github.com/kudobuilder/kuttl/cmd/kubectl-kuttl@latest:
github.com/kudobuilder/kuttl@v0.26.0 requires go >= 1.26.0
(running go 1.25.9; GOTOOLCHAIN=local)
Switch both e2e jobs to 'go-version: stable', matching every other Go job
in the same workflow (go-test, kubernetes-api, kubernetes-k3d,
coverage-report). This unblocks the e2e checks that have been red on main
since the Go 1.26 bump landed in #4479.
ValClarkson
added a commit
to ValClarkson/postgres-operator
that referenced
this pull request
May 14, 2026
….24.1, Go to 1.26.3 Brings REL_5_8 in line with the dependency baseline already running on main (PRs CrunchyData#4479 and CrunchyData#4483) so that the branch picks up: - k8s.io/* 0.35.2 -> 0.36.1 - k8s.io/apiextensions-apiserver / apiserver 0.35.0 -> 0.36.0 - k8s.io/kube-openapi refreshed to the v0.36.1 timestamp - k8s.io/klog/v2 2.130.1 -> 2.140.0 - k8s.io/utils refreshed - sigs.k8s.io/controller-runtime 0.23.1 -> 0.24.1 - sigs.k8s.io/apiserver-network-proxy/konnectivity-client 0.31.2 -> 0.34.0 - sigs.k8s.io/structured-merge-diff/v6 to a stable v6.3.2 - go directive 1.25.0 -> 1.26.3 (matches main) - golang.org/x/time 0.9.0 -> 0.14.0 - google.golang.org/grpc 1.79.1 -> 1.79.3 - google.golang.org/protobuf 1.36.11 -> 1.36.12 pre-release This supersedes Dependabot PR CrunchyData#4476: that PR mixes k8s 0.36.0 with controller-runtime 0.23.3, which fails to compile because client-go v0.36 added a HasSyncedChecker method to ResourceEventHandlerRegistration that controller-runtime 0.23.x does not implement. Bumping cr to 0.24.1 is the supported combination. Required source / config backports (mirror PR CrunchyData#4483 on main): - config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml: `make generate-crd` strips the now-obsolete "ProcMountType feature flag" sentence from the procMount field description, since the gate was promoted to GA in Kubernetes 1.36. - internal/controller/postgrescluster/volumes.go: handle the new `corev1.PersistentVolumeClaimUnused` condition (KEP-4901, K8s 1.36) in the existing no-op `case` so that the `exhaustive` linter is satisfied. - internal/controller/postgrescluster/pgbackrest.go: fix a `go vet` warning that surfaced under Go 1.26 by adding a %q verb to the `EventRecorder.Eventf` call that was passing `repoName` without a matching format directive. - .golangci.yaml: add SA1019 exclusions for two new deprecations: * `managed.FieldsV1.Raw` (k8s.io/apimachinery v0.36 deprecated direct field access; tests still exercise the legacy field). * `scheme.Builder` (controller-runtime v0.24 deprecated; the recommended replacement requires restructuring our api packages and is left for a follow-up). `generate-rbac` is unchanged from REL_5_8 and was not regenerated here because controller-gen tries to parse `internal/postgres/...`, which transitively imports `pg_query_go` and fails to build on macOS hosts (unrelated to this bump). Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
to ValClarkson/postgres-operator
that referenced
this pull request
May 14, 2026
….24.1, Go to 1.26.3 Brings REL_5_8 in line with the dependency baseline already running on main (PRs CrunchyData#4479 and CrunchyData#4483) so that the branch picks up: - k8s.io/* 0.35.2 -> 0.36.1 - k8s.io/apiextensions-apiserver / apiserver 0.35.0 -> 0.36.0 - k8s.io/kube-openapi refreshed to the v0.36.1 timestamp - k8s.io/klog/v2 2.130.1 -> 2.140.0 - k8s.io/utils refreshed - sigs.k8s.io/controller-runtime 0.23.1 -> 0.24.1 - sigs.k8s.io/apiserver-network-proxy/konnectivity-client 0.31.2 -> 0.34.0 - sigs.k8s.io/structured-merge-diff/v6 to a stable v6.3.2 - go directive 1.25.0 -> 1.26.3 (matches main) - golang.org/x/time 0.9.0 -> 0.14.0 - google.golang.org/protobuf 1.36.11 -> 1.36.12 pre-release This supersedes Dependabot PR CrunchyData#4476: that PR mixes k8s 0.36.0 with controller-runtime 0.23.3, which fails to compile because client-go v0.36 added a HasSyncedChecker method to ResourceEventHandlerRegistration that controller-runtime 0.23.x does not implement. Bumping cr to 0.24.1 is the supported combination. Required source / config backports (mirror PR CrunchyData#4483 on main): - config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml: `make generate-crd` strips the now-obsolete "ProcMountType feature flag" sentence from the procMount field description, since the gate was promoted to GA in Kubernetes 1.36. - internal/controller/postgrescluster/volumes.go: handle the new `corev1.PersistentVolumeClaimUnused` condition (KEP-4901, K8s 1.36) in the existing no-op `case` so that the `exhaustive` linter is satisfied. - internal/controller/postgrescluster/pgbackrest.go: fix a `go vet` warning that surfaced under Go 1.26 by adding a %q verb to the `EventRecorder.Eventf` call that was passing `repoName` without a matching format directive. - .golangci.yaml: add SA1019 exclusions for two new deprecations: * `managed.FieldsV1.Raw` (k8s.io/apimachinery v0.36 deprecated direct field access; tests still exercise the legacy field). * `scheme.Builder` (controller-runtime v0.24 deprecated; the recommended replacement requires restructuring our api packages and is left for a follow-up). `generate-rbac` is unchanged from REL_5_8 and was not regenerated here because controller-gen tries to parse `internal/postgres/...`, which transitively imports `pg_query_go` and fails to build on macOS hosts (unrelated to this bump). Co-authored-by: Cursor <cursoragent@cursor.com>
ValClarkson
added a commit
that referenced
this pull request
May 14, 2026
….24.1, Go to 1.26.3 Brings REL_5_8 in line with the dependency baseline already running on main (PRs #4479 and #4483) so that the branch picks up: - k8s.io/* 0.35.2 -> 0.36.1 - k8s.io/apiextensions-apiserver / apiserver 0.35.0 -> 0.36.0 - k8s.io/kube-openapi refreshed to the v0.36.1 timestamp - k8s.io/klog/v2 2.130.1 -> 2.140.0 - k8s.io/utils refreshed - sigs.k8s.io/controller-runtime 0.23.1 -> 0.24.1 - sigs.k8s.io/apiserver-network-proxy/konnectivity-client 0.31.2 -> 0.34.0 - sigs.k8s.io/structured-merge-diff/v6 to a stable v6.3.2 - go directive 1.25.0 -> 1.26.3 (matches main) - golang.org/x/time 0.9.0 -> 0.14.0 - google.golang.org/protobuf 1.36.11 -> 1.36.12 pre-release This supersedes Dependabot PR #4476: that PR mixes k8s 0.36.0 with controller-runtime 0.23.3, which fails to compile because client-go v0.36 added a HasSyncedChecker method to ResourceEventHandlerRegistration that controller-runtime 0.23.x does not implement. Bumping cr to 0.24.1 is the supported combination. Required source / config backports (mirror PR #4483 on main): - config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml: `make generate-crd` strips the now-obsolete "ProcMountType feature flag" sentence from the procMount field description, since the gate was promoted to GA in Kubernetes 1.36. - internal/controller/postgrescluster/volumes.go: handle the new `corev1.PersistentVolumeClaimUnused` condition (KEP-4901, K8s 1.36) in the existing no-op `case` so that the `exhaustive` linter is satisfied. - internal/controller/postgrescluster/pgbackrest.go: fix a `go vet` warning that surfaced under Go 1.26 by adding a %q verb to the `EventRecorder.Eventf` call that was passing `repoName` without a matching format directive. - .golangci.yaml: add SA1019 exclusions for two new deprecations: * `managed.FieldsV1.Raw` (k8s.io/apimachinery v0.36 deprecated direct field access; tests still exercise the legacy field). * `scheme.Builder` (controller-runtime v0.24 deprecated; the recommended replacement requires restructuring our api packages and is left for a follow-up). `generate-rbac` is unchanged from REL_5_8 and was not regenerated here because controller-gen tries to parse `internal/postgres/...`, which transitively imports `pg_query_go` and fails to build on macOS hosts (unrelated to this bump). Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Checklist:
Type of Changes:
What is the current behavior (link to any open issues here)?
What is the new behavior (if this is a feature change)?
Other Information: