CORENET-7046: Bump Kubernetes to 1.36.1 and OCP to 5.0

.ci-operator.yaml

@@ -1,4 +1,5 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: rhel-9-release-golang-1.25-openshift-4.22
+  # Keep CNO on the release build-root stream while moving to the Go 1.26/OCP 5.0 tag.
+  tag: rhel-9-release-golang-1.26-openshift-5.0

Dockerfile

@@ -1,9 +1,11 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
+# Kubernetes 1.36 requires Go 1.26; use the matching OCP 5.0 builder image.
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder
 WORKDIR /go/src/github.com/openshift/cluster-network-operator
 COPY . .
 RUN hack/build-go.sh
 
-FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+# Keep the runtime base aligned with the OCP 5.0 release payload.
+FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-operator /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-endpoints /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-target /usr/bin/

docs/kubernetes-ocp-5.0-bump.md

@@ -0,0 +1,79 @@
+# Kubernetes 1.36.1 and OCP 5.0 bump
+
+This update rebases cluster-network-operator onto Kubernetes 1.36.1 and the
+OCP 5.0 build/runtime images. It follows the recent dependency-bump pattern in
+the repository: update the Kubernetes modules, refresh related OpenShift and
+controller dependencies, run `go mod tidy`, regenerate `vendor`, and run
+codegen.
+
+## What changed
+
+- `go.mod` now uses Go 1.26.0 because Kubernetes 1.36.1 modules require Go
+  1.26 or newer.
+- Kubernetes modules such as `k8s.io/api`, `k8s.io/apimachinery`,
+  `k8s.io/client-go`, `k8s.io/code-generator`, `k8s.io/component-base`,
+  `k8s.io/kube-proxy`, `k8s.io/apiextensions-apiserver`, `k8s.io/apiserver`,
+  and `k8s.io/kube-aggregator` were bumped to `v0.36.1`.
+- OpenShift modules were refreshed without a `release-5.0` suffix for the
+  normal module queries, matching the newer 1.34/1.35 bump style.
+  `github.com/openshift/build-machinery-go`, `github.com/openshift/api`, and
+  `github.com/openshift/client-go` moved to newer pseudo-versions.
+- `github.com/openshift/library-go` is temporarily replaced with
+  `github.com/jubittajohn/library-go` at the head of
+  `openshift/library-go#2171`, because that PR carries the Kubernetes 1.36 fake
+  informer compatibility and Go 1.26 vet fixes needed by this bump.
+- `github.com/openshift/machine-config-operator` did not move because the
+  normal module query did not resolve a newer compatible version.
+- `Dockerfile` now uses the Go 1.26/OCP 5.0 builder and OCP 5.0 runtime base.
+- `.ci-operator.yaml` uses the in-repository `build_root_image` shape expected
+  by CNO's CI loader, with
+  `openshift/release:rhel-9-release-golang-1.26-openshift-5.0`. That keeps CNO
+  on the same release build-root stream shape it used before, while matching the
+  Go 1.26/OCP 5.0 tag pattern found in `openshift/release` for
+  `osac-project/fulfillment-service`.
+- `vendor` and generated CRD output were refreshed. The PKI CRD annotation now
+  reflects controller-gen `v0.21.0`.
+
+## Controller-gen build path
+
+The codegen script remains on the original vendor-mode build:
+
+```sh
+GO111MODULE=on GOFLAGS=-mod=vendor go build -tags=tools -o _output/bin/controller-gen sigs.k8s.io/controller-tools/cmd/controller-gen
+```
+
+During the first run this failed because codegen was attempted before the final
+`go mod vendor` result was available. After regenerating `vendor`, the same
+vendor-mode command builds successfully, so the script does not need to switch
+to module mode.
+
+## Compatibility patch
+
+Kubernetes 1.36 added `HasSyncedChecker()` to the `cache.SharedIndexInformer`
+interface. The current upstream `openshift/library-go` `master`, `release-5.0`,
+and `release-5.1` refs all point at a revision that does not yet implement that
+method in its fake informer.
+
+CI's `verify-deps` job rejects direct edits under `vendor/` because it runs
+`go mod tidy; go mod vendor` and expects no diff. To keep vendor generated-only,
+this update uses `openshift/library-go#2171` through a `replace` directive:
+`github.com/openshift/library-go => github.com/jubittajohn/library-go
+v0.0.0-20260529005742-3c9df83aa03b`. `go mod vendor` then copies that PR state
+into `vendor`, so dependency verification can reproduce the checked-in vendor
+tree.
+
+## Validation
+
+- `hack/update-codegen.sh` ran successfully after the final vendor refresh.
+- `make build` passed.
+- `make test` passed.
+- `make verify` can still require local tool bootstrap retries on Darwin arm64
+  when GitHub downloads are interrupted. Those local bootstrap workarounds are
+  intentionally not committed under `vendor/` because `verify-deps` would reject
+  hand-edited vendored files.
+- After the dependency fix, local `make verify` reaches the final
+  `git diff --exit-code`.
+  That final step fails while the bump is still uncommitted because the working
+  tree intentionally contains this patch. In CI, the patch is already checked
+  out as the baseline, so this step only fails if verify/codegen produces
+  additional uncommitted changes.

go.mod

@@ -1,34 +1,38 @@
 module github.com/openshift/cluster-network-operator
 
-go 1.25.0
+go 1.26.0
 
 require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/containernetworking/cni v0.8.0
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
-	github.com/onsi/gomega v1.39.1
-	github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af
+	github.com/onsi/gomega v1.40.0
+	github.com/openshift/build-machinery-go v0.0.0-20260427155009-b879704ce51f
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netlink v1.1.0
 	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae // indirect
-	golang.org/x/net v0.51.0
+	golang.org/x/net v0.55.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.35.2
-	k8s.io/apimachinery v0.36.0-alpha.2
-	k8s.io/code-generator v0.35.2
-	k8s.io/component-base v0.35.2
-	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-proxy v0.35.2
-	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
-	sigs.k8s.io/controller-runtime v0.23.1
+	k8s.io/api v0.36.1
+	k8s.io/apimachinery v0.36.1
+	k8s.io/code-generator v0.36.1
+	k8s.io/component-base v0.36.1
+	k8s.io/klog/v2 v2.140.0
+	k8s.io/kube-proxy v0.36.1
+	k8s.io/utils v0.0.0-20260507154919-ff6756f316d2
+	sigs.k8s.io/controller-runtime v0.24.1
 )
 
+// Use openshift/library-go PR #2171 until it merges, because it carries the
+// Kubernetes 1.36 HasSyncedChecker fake informer fix and Go 1.26 vet fixes.
+replace github.com/openshift/library-go => github.com/jubittajohn/library-go v0.0.0-20260529005742-3c9df83aa03b
+
 require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
@@ -39,16 +43,15 @@ require (
 	github.com/coreos/go-systemd/v22 v22.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fsnotify/fsnotify v1.10.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-openapi/jsonpointer v0.22.5 // indirect
+	github.com/go-openapi/jsonpointer v0.23.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
-	github.com/go-openapi/swag v0.25.5 // indirect
+	github.com/go-openapi/swag v0.26.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -61,7 +64,7 @@ require (
 	github.com/pkg/profile v1.7.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/common v0.68.0 // indirect
 	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
@@ -76,88 +79,91 @@ require (
 	go.opentelemetry.io/otel/trace v1.41.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.1 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/oauth2 v0.35.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	go.uber.org/zap v1.28.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/mod v0.36.0 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/time v0.15.0 // indirect
+	golang.org/x/tools v0.45.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/grpc v1.79.1 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	google.golang.org/grpc v1.80.0 // indirect
+	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.35.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 require (
-	github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55
-	github.com/openshift/client-go v0.0.0-20260320040014-4b5fc2cdad98
-	github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6
+	github.com/openshift/api v0.0.0-20260528061300-9f553042f9ae
+	github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a
+	github.com/openshift/library-go v0.0.0-20260528084301-c7d432293c13
 	github.com/openshift/machine-config-operator v0.0.1-0.20250724162154-ab14c8e2843b
-	k8s.io/apiextensions-apiserver v0.35.2
-	k8s.io/client-go v0.35.2
-	sigs.k8s.io/controller-tools v0.20.1
+	k8s.io/apiextensions-apiserver v0.36.1
+	k8s.io/client-go v0.36.1
+	sigs.k8s.io/controller-tools v0.21.0
 )
 
 require (
 	cel.dev/expr v0.25.1 // indirect
-	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/Masterminds/semver/v3 v3.5.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
-	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/color v1.19.0 // indirect
 	github.com/felixge/fgprof v0.9.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/swag/cmdutils v0.25.5 // indirect
-	github.com/go-openapi/swag/conv v0.25.5 // indirect
-	github.com/go-openapi/swag/fileutils v0.25.5 // indirect
-	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
-	github.com/go-openapi/swag/jsonutils v0.25.5 // indirect
-	github.com/go-openapi/swag/loading v0.25.5 // indirect
-	github.com/go-openapi/swag/mangling v0.25.5 // indirect
-	github.com/go-openapi/swag/netutils v0.25.5 // indirect
-	github.com/go-openapi/swag/stringutils v0.25.5 // indirect
-	github.com/go-openapi/swag/typeutils v0.25.5 // indirect
-	github.com/go-openapi/swag/yamlutils v0.25.5 // indirect
+	github.com/go-openapi/swag/cmdutils v0.26.0 // indirect
+	github.com/go-openapi/swag/conv v0.26.0 // indirect
+	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonname v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonutils v0.26.0 // indirect
+	github.com/go-openapi/swag/loading v0.26.0 // indirect
+	github.com/go-openapi/swag/mangling v0.26.0 // indirect
+	github.com/go-openapi/swag/netutils v0.26.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.26.0 // indirect
+	github.com/go-openapi/swag/typeutils v0.26.0 // indirect
+	github.com/go-openapi/swag/yamlutils v0.26.0 // indirect
 	github.com/gobuffalo/flect v1.0.3 // indirect
-	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.27.0 // indirect
 	github.com/google/gnostic-models v0.7.1 // indirect
 	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/onsi/ginkgo/v2 v2.28.1 // indirect
+	github.com/mattn/go-colorable v0.1.15 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
+	github.com/onsi/ginkgo/v2 v2.28.2 // indirect
+	github.com/rogpeppe/go-internal v1.15.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
+	golang.org/x/exp v0.0.0-20260529124908-c761662dc8c9 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
-	k8s.io/apiserver v0.35.2 // indirect
-	k8s.io/gengo/v2 v2.0.0-20251215205346-5ee0d033ba5b // indirect
-	k8s.io/kms v0.35.2 // indirect
-	k8s.io/kube-aggregator v0.35.1 // indirect
+	k8s.io/apiserver v0.36.1 // indirect
+	k8s.io/gengo/v2 v2.0.0-20260408192533-25e2208e0dc3 // indirect
+	k8s.io/kms v0.36.1 // indirect
+	k8s.io/kube-aggregator v0.36.1 // indirect
+	k8s.io/streaming v0.36.1 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.4.0 // indirect
 )