LOG-8992: update dependencies to match OCP v4.22

[jcantrill]

Description

This PR:

• Updates the Dockerfile to golang 1.25
• Removes obsolete variables from the Dockerfile
• Updates the kubernetes dependencies to be the same as OCP 4.22
• Removes the elasticsearch-operator dependency from this operator

Links

• https://redhat.atlassian.net/browse/LOG-8991
• https://redhat.atlassian.net/browse/LOG-8992

cc @vparfonov @Clee2691

Summary by CodeRabbit

• Chores

  • Upgraded Go to 1.25 and refreshed many module dependencies
  • Streamlined container build and runtime artifact/layout

• Behavioral Change

  • Operator no longer recognizes Elasticsearch-operator logging API types

• Tests

  • Updated test expectations to omit creationTimestamp: null in serialized outputs

[openshift-ci-robot]

@jcantrill: This pull request references LOG-8992 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.8.0" version, but no target version was set.

Details

In response to this:

Description

This PR:

• Updates the Dockerfile to golang 1.25
• Removes obsolete variables from the Dockerfile
• Updates the kubernetes dependencies to be the same as OCP 4.22
• Removes the elasticsearch-operator dependency from this operator

Links

• https://redhat.atlassian.net/browse/LOG-8991
• https://redhat.atlassian.net/browse/LOG-8992

cc @vparfonov @Clee2691

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bea42bf8-2d79-4476-956d-082dac0615be

📥 Commits

Reviewing files that changed from the base of the PR and between 3d8bf3e and 72705fa.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• Dockerfile
• go.mod
• internal/auth/rbac_test.go
• test/helpers_test.go

💤 Files with no reviewable changes (1)

• internal/auth/rbac_test.go

✅ Files skipped from review due to trivial changes (1)

• test/helpers_test.go

---

Walkthrough

Updates build image/workdir and runtime Docker copy paths, bumps Go to 1.25 and refreshes module pins, removes Elasticsearch API registration from the controller manager scheme, and adjusts tests to stop expecting metadata.creationTimestamp: null in rendered ConfigMap/RBAC outputs.

Changes

Build image, context paths, and runtime image wiring

Layer / File(s)	Summary
Builder image, WORKDIR, and context COPYs Dockerfile	Switch builder base to golang:1.25, set WORKDIR /opt/app-root/src, remove ${APP_DIR}/${REMOTE_SOURCES*} env usage, and replace ${APP_DIR}-based COPY lines with direct COPY of repository subtrees (e.g., api, cmd/main.go, internal, go.mod, .bingo, Makefile, version) into the fixed workdir.
Conditional dependency caching and build entrypoint Dockerfile	Preserve ARG CACHE_DEPS="true"-gated go mod download step, then run make build inside the new workdir.
Runtime stage artifact and must-gather scripts copy Dockerfile	Remove runtime env vars (APP_DIR/SRC_DIR), copy operator binary from /opt/app-root/src/bin/..., and copy must-gather scripts from ./must-gather/collection-scripts/* into /usr/bin/; package installs, rpm validation, cleanup, and permission fixes remain but reference the new paths.

Dependency graph and toolchain

Layer / File(s)	Summary
Go toolchain version and direct deps go.mod	Bump go directive to 1.25.0 and update many direct dependencies (e.g., go-logr/logr, klauspost/compress, ginkgo/v2, gomega, prometheus/client_golang, spf13/pflag, stretchr/testify, various golang.org/x/* and k8s.io/* modules). Remove github.com/openshift/elasticsearch-operator from direct require.
Indirect deps and SMR bump go.mod	Refresh numerous indirect dependencies (Prometheus, OpenTelemetry, gRPC, cel-go, etc.) and switch sigs.k8s.io/structured-merge-diff from v4 → v6; keep existing local replace directive unchanged.

Controller manager scheme change

Layer / File(s)	Summary
Remove Elasticsearch API registration cmd/main.go	Drop import of Elasticsearch operator v1 API and remove elasticsearch.AddToScheme(scheme) in init(), so the manager scheme no longer registers those Elasticsearch API types.

Test expectation updates

Layer / File(s)	Summary
Serialization/YAML expected outputs internal/auth/rbac_test.go, test/helpers_test.go	Adjust unit test expectations to remove metadata.creationTimestamp: null and instead expect metadata: {} in rendered JSON/YAML for ConfigMap and RBAC stub outputs. No exported/prod signatures changed.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the main changes and includes required sections, but lacks mandatory reviewer and approver assignments (/cc and /assign) specified in the template.	Add /cc and /assign directives to assign reviewers and approvers from the OWNERS file as required by the template.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating dependencies to match OCP v4.22, which is the primary objective reflected in all file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in modified test files are stable and deterministic with no dynamic information, generated IDs, timestamps, node names, or values that change between runs.
Test Structure And Quality	✅ Passed	PR modifies only test expectations, not test code. No new tests added. Existing tests follow codebase patterns with proper Ginkgo structure and single responsibilities.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are only modifications to existing test expectations.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes include dependency updates, Dockerfile modifications, and updates to existing test expectations only. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No new scheduling constraints detected. PR updates build system (Dockerfile, go.mod, cmd/main.go) and test expectations only. No deployment manifests or pod scheduling constraints added.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes found. Logging routes to stderr via ViaQ logerr. No fmt.Print or klog issues. Test changes are framework-intercepted.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes include Dockerfile/dependency updates and modifications to expected outputs in existing unit tests. Custom check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 9: The RUN conditional in the Dockerfile uses an unquoted variable in the
shell test ([ -n $CACHE_DEPS ]), which can mis-evaluate when CACHE_DEPS is
empty; update the test to quote the variable (e.g. [ -n "$CACHE_DEPS" ]) so the
condition is evaluated correctly and the go mod download step only runs when
CACHE_DEPS is set.

In `@go.mod`:
- Line 124: The go.mod currently pins google.golang.org/grpc to v1.72.2 which
contains a critical auth bypass; update the grpc module requirement to v1.79.3
or later (replace the line referencing google.golang.org/grpc v1.72.2) and then
run go get google.golang.org/grpc@v1.79.3 (or newer) followed by go mod tidy to
refresh indirect dependencies; ensure the module entry for
google.golang.org/grpc in go.mod and go.sum are updated accordingly and run
tests to validate no breakage.
- Line 107: Update the vulnerable dependency go.opentelemetry.io/otel/sdk from
v1.36.0 to v1.40.0 or later in go.mod (the module name is
go.opentelemetry.io/otel/sdk) and re-resolve the module graph so transitive OTel
modules are upgraded as well; after changing the version run your project’s Go
module resolution (e.g., re-fetch and tidy modules) to ensure the new version is
recorded and the lockfile / go.sum are updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cd1b40f5-1409-45d6-9370-44bab0de27fe

📥 Commits

Reviewing files that changed from the base of the PR and between 30295d6 and 27a90d8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• Dockerfile
• cmd/main.go
• go.mod

💤 Files with no reviewable changes (1)

• cmd/main.go

[jcantrill]

/label tide/merge-method-squash

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 9: The RUN conditional currently tests only for a non-empty CACHE_DEPS
which treats "false" as true; change the test to an explicit boolean equality
check against the intended truthy value (e.g., test CACHE_DEPS = "true" or =
"1") so go mod download only runs when CACHE_DEPS is explicitly enabled; update
the RUN line that references CACHE_DEPS and runs go mod download accordingly and
ensure any documentation or CI that sets CACHE_DEPS uses the chosen true value.

In `@go.mod`:
- Around line 103-108: The go.mod pins vulnerable OpenTelemetry modules
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk and related packages) at
v1.40.0; update the affected module versions in go.mod so they use patched
releases (e.g., set go.opentelemetry.io/otel to v1.41.0 and
go.opentelemetry.io/otel/sdk to v1.43.0, and align related
exporters/metric/trace modules to compatible patched versions such as v1.41.0+
or v1.43.0+), then run `go get`/`go mod tidy` to resolve and verify the
dependency graph and ensure no breakages in functions that initialize or use
OpenTelemetry components (look for code referencing go.opentelemetry.io/otel,
go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/trace, and
go.opentelemetry.io/otel/exporters/otlp/otlptrace).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e366fcf3-7137-43a7-9d81-d72e86a781ce

📥 Commits

Reviewing files that changed from the base of the PR and between 27a90d8 and 3d8bf3e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• Dockerfile
• go.mod
• internal/auth/rbac_test.go
• test/helpers_test.go

💤 Files with no reviewable changes (1)

• internal/auth/rbac_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Pinned OTel modules in go.mod:"
rg -n '^\s*go\.opentelemetry\.io/otel($|/)' go.mod

echo
echo "If available, run dependency vulnerability checks:"
if command -v osv-scanner >/dev/null 2>&1; then
  osv-scanner --lockfile=go.mod
else
  echo "osv-scanner not found: install and run -> osv-scanner --lockfile=go.mod"
fi

if command -v govulncheck >/dev/null 2>&1; then
  govulncheck ./...
else
  echo "govulncheck not found: install and run -> govulncheck ./..."
fi

Repository: openshift/cluster-logging-operator

Length of output: 5526

---

Upgrade OTel modules: v1.40.0 has confirmed high-severity vulnerabilities

Lines 106–108 pin go.opentelemetry.io/otel packages to v1.40.0, which are flagged by current vulnerability advisories:

• go.opentelemetry.io/otel v1.40.0: GHSA-mh2q-q3fh-2475 (CVSS 7.5) → upgrade to v1.41.0
• go.opentelemetry.io/otel/sdk v1.40.0: GHSA-hfvc-g4fc-pqhx (CVSS 7.3) → upgrade to v1.43.0

Patches are available; please bump these dependencies.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 103-103: go.opentelemetry.io/otel 1.40.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

---

[HIGH] 107-107: go.opentelemetry.io/otel/sdk 1.40.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 103 - 108, The go.mod pins vulnerable OpenTelemetry
modules (go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk and related
packages) at v1.40.0; update the affected module versions in go.mod so they use
patched releases (e.g., set go.opentelemetry.io/otel to v1.41.0 and
go.opentelemetry.io/otel/sdk to v1.43.0, and align related
exporters/metric/trace modules to compatible patched versions such as v1.41.0+
or v1.43.0+), then run `go get`/`go mod tidy` to resolve and verify the
dependency graph and ensure no breakages in functions that initialize or use
OpenTelemetry components (look for code referencing go.opentelemetry.io/otel,
go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/trace, and
go.opentelemetry.io/otel/exporters/otlp/otlptrace).

[jcantrill]

/test e2e-target

[openshift-ci]

@jcantrill: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-target	72705fa	link	true	/test e2e-target

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.