CNTRLPLANE-3308: deps: bump k8s.io 0.34 → 0.35 and openshift/api

[muraee]

Summary

• Bump k8s.io/* from v0.34.3 to v0.35.1
• Bump github.com/openshift/api to 3c6b218b (openshift/api#2786) to pick up the ObservedRevisionGeneration field on ClusterAPIStatus
• Bump github.com/openshift/client-go to a19e917 (compatible with new API)
• Bump karpenter forks to versions built against k8s 0.35

Code fixes for API changes

• MustBaseEnvSet: removed bool param in k8s 0.35 (support/validations/authentication.go, control-plane-operator/.../auth.go)
• ClusterImagePolicy moved from config/v1alpha1 to config/v1 (hypershift-operator/controllers/nodepool/config.go)
• NodeSelectorRequirementWithMinValues no longer embeds corev1.NodeSelectorRequirement (test/e2e/karpenter_test.go)
• Removed etcd/tests/v3 dependency to eliminate olekukonko/tablewriter v0.x/v1.x conflict (etcdctl uses v0.x API, karpenter requires v1.x)

Why

The k8s 0.35 bump is required by the latest openshift/api which adds the ObservedRevisionGeneration field. This field is needed by PR #7996 to properly wait for the Cluster CAPI Operator to acknowledge unmanaged CRDs during hypershift install.

Test plan

• make build passes
• make test passes (all unit tests)
• go vet passes
• make update succeeds

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to a newer patch release (build images and tooling aligned).
  • Refreshed core and indirect dependencies across the Kubernetes and related ecosystems.
  • Adjusted code verification tooling configuration to refine files excluded from checks.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The Makefile verify-codespell target’s codespell --skip list was adjusted to add ./api/go.sum while retaining existing skips such as ./go.sum, ./hack/workspace/go.work.sum, and other prior patterns. api/go.mod updates the Go toolchain directive from go 1.25.3 to go 1.25.7 and upgrades multiple direct and indirect dependencies (notably Kubernetes/OpenShift-related modules, go-openapi-related modules, and various indirects), plus updated replace directives to newer OpenShift pseudo-versions. Dockerfile.github-actions-runner updates the GO_VERSION build ARG from 1.25.3 to 1.25.7.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	PR introduces fmt.Println() and fmt.Printf() calls in TestE2EV2() function that write directly to stdout before RunSpecs() is called, violating OTE Binary Stdout Contract.	Replace fmt.Print*/Printf calls with fmt.Fprintf(os.Stderr, ...) or GinkgoWriter to redirect output from stdout to stderr.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: bumping Kubernetes and OpenShift API dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies Makefile, Dockerfile, and api/go.mod without introducing Ginkgo tests with dynamic test names.
Test Structure And Quality	✅ Passed	The PR does not introduce Ginkgo-style tests using Describe/Context/It blocks; it uses standard Go testing with t.Run() subtests and Gomega matchers. Since no Ginkgo test code is present, this check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR is exclusively a dependency update bump with associated code changes to accommodate API compatibility changes. No new Ginkgo e2e tests are being added to the codebase.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only dependency updates and modifications to existing tests, not new Ginkgo e2e test additions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only dependency upgrades and build configuration changes; no pod scheduling constraints incompatible with SNO/Two-Node/HyperShift topologies detected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; only existing test code is modified to handle API changes.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@muraee: This pull request references CNTRLPLANE-3308 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Bump k8s.io/* from v0.34.3 to v0.35.1
• Bump github.com/openshift/api to 3c6b218b (openshift/api#2786) to pick up the ObservedRevisionGeneration field on ClusterAPIStatus
• Bump github.com/openshift/client-go to a19e917 (compatible with new API)
• Bump karpenter forks to versions built against k8s 0.35

Code fixes for API changes

• MustBaseEnvSet: removed bool param in k8s 0.35 (support/validations/authentication.go, control-plane-operator/.../auth.go)
• ClusterImagePolicy moved from config/v1alpha1 to config/v1 (hypershift-operator/controllers/nodepool/config.go)
• NodeSelectorRequirementWithMinValues no longer embeds corev1.NodeSelectorRequirement (test/e2e/karpenter_test.go)
• Removed etcd/tests/v3 dependency to eliminate olekukonko/tablewriter v0.x/v1.x conflict (etcdctl uses v0.x API, karpenter requires v1.x)

Why

The k8s 0.35 bump is required by the latest openshift/api which adds the ObservedRevisionGeneration field. This field is needed by PR #7996 to properly wait for the Cluster CAPI Operator to acknowledge unmanaged CRDs during hypershift install.

Test plan

• make build passes
• make test passes (all unit tests)
• go vet passes
• make update succeeds

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[muraee]

/test "ci/prow/security"

[muraee]

/retest

[bryan-cox]

/lgtm

[bryan-cox]

/verified by e2e & ut

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by e2e & ut.

Details

In response to this:

/verified by e2e & ut

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 60802b1 and 2 for PR HEAD 08add78 in total

[muraee]

/override "codecov/project"

[openshift-ci]

@muraee: Overrode contexts on behalf of muraee: codecov/project

Details

In response to this:

/override "codecov/project"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-azure-self-managed | Build: 2049476342528872448 | Cost: $3.4754495499999987 | Failed step: hypershift-azure-run-e2e-self-managed

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[muraee]

/retest

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2049476342386266112 | Cost: $4.85899025 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[bryan-cox]

/test e2e-azure-self-managed

[bryan-cox]

/retest

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 54a4a7f and 1 for PR HEAD 08add78 in total

[openshift-ci]

@muraee: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/project (GitHub Actions check, not a Prow CI job)
• Build ID: Check run 73675666452
• PR: #8286 — CNTRLPLANE-3308: deps: bump k8s.io 0.34 → 0.35 and openshift/api
• Branch: bump-openshift-api → main

Test Failure Analysis

Error

codecov/project: 36.40% (-0.07%) compared to 60802b1

Summary

The codecov/project check failed because overall project test coverage dropped by 0.07% (from 36.46% to 36.40%) relative to the base commit on main. This is a false positive — the PR itself does not reduce coverage of any modified code (the codecov/patch check passed, confirming all modified and coverable lines are covered). The drop is caused by indirect coverage changes from carried-forward flag recalculation across test shards after a large dependency bump, compounded by a stale base comparison (report is 11 commits behind main).

Root Cause

The codecov.yml configuration has no coverage.status section, so Codecov applies its default threshold: the codecov/project check fails if overall project coverage decreases by any amount (even 0.01%).

The coverage arithmetic shows:

• Lines: 93,256 → 93,292 (+36 new lines from API/dependency changes)
• Hits: 34,010 → 33,959 (−51 previously-covered lines lost)
• Misses: 56,532 → 56,619 (+87 uncovered lines)

The −51 hit loss is entirely from indirect coverage changes — lines in existing files whose coverage status changed due to how Go test coverage profiles are recomputed when dependencies shift. The other test shard dropped by −0.82% (covering karpenter-operator, control-plane-pki-operator, pkg/, ignition-server/, etc.), which is the primary contributor to the overall project-level decrease.

This is a large dependency bump PR (~3,000 files changed, ~2,816 of which are vendor). The dependency reorganization causes Go's coverage tooling to recompute line mappings, and carried-forward coverage flags across the 5 test shards shift slightly when the underlying dependency graph changes — even when no application logic is modified. Additionally, the Codecov report was 11 commits behind main, meaning it compared against a stale baseline that may itself have had different coverage characteristics.

Recommendations

1. No action required for this PR — This is a false positive caused by indirect coverage shift from a dependency bump. All modified and coverable lines are covered by tests.

2. Consider adding a coverage threshold to codecov.yml to prevent future false positives on dependency bumps:

   coverage:
     status:
       project:
         default:
           threshold: 0.1%  # Allow up to 0.1% drop
       patch:
         default:
           target: auto

3. Rebase and re-run if needed — rebasing onto the latest main would eliminate the "11 commits behind" staleness issue and likely reduce or eliminate the reported coverage delta.

Evidence

Evidence	Detail
Check run conclusion	failure from Codecov app
Coverage delta	36.46% → 36.40% (−0.07%)
codecov/patch status	✅ passed — "All modified and coverable lines are covered by tests"
Lines changed	+36 new lines, −51 hits lost, +87 new misses
Stale base	"Report is 11 commits behind head on main"
Largest shard drop	other flag: −0.82% (karpenter-operator, pki-operator, pkg/, etc.)
PR nature	Dependency bump (k8s.io 0.34→0.35 + openshift/api) — no application logic changes
Codecov config	No coverage.status section → default threshold of 0% (any drop = failure)
Files in PR	~3,000 total (~2,816 vendor, ~184 non-vendor); only 10 non-vendor Go source files listed

---

[muraee]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@muraee: Failed to get PR patch from GitHub. This PR will need to be manually cherrypicked.

Error message

status code 406 not one of [200], body: {"message":"Sorry, the diff exceeded the maximum number of files (300). Consider using 'List pull requests files' API or locally cloning the repository instead.","errors":[{"resource":"PullRequest","field":"diff","code":"too_large"}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#list-pull-requests-files","status":"406"}

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.