OCPBUGS-33013: deps: Update library-go to update staticpod pkg

[tchap]

This aligns the way installerpod and certsyncpod populate/update directories with secrets/configmaps.

[coderabbitai]

Walkthrough

Updates the github.com/openshift/library-go dependency version in go.mod from v0.0.0-20251015151611-6fc7a74b67c5 to v0.0.0-20251106210235-69ca907a9c40.

Changes

Cohort / File(s)	Change Summary
Dependency Version Update go.mod	Updated github.com/openshift/library-go require entry from v0.0.0-20251015151611-6fc7a74b67c5 to v0.0.0-20251106210235-69ca907a9c40

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Verify the new dependency version is valid and compatible
• Confirm no transitive dependency conflicts are introduced by this version bump

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "WIP: Update library-go to improve cert-syncer" directly corresponds to the changeset, which updates a replace directive in go.mod to point to a different version of the github.com/openshift/library-go dependency. The title is specific, clear, and accurately summarizes the primary change—updating the library-go dependency as part of cert-syncer improvements. The "WIP:" prefix appropriately reflects the work-in-progress status indicated by the PR labels and context.
Description Check	✅ Passed	The PR description "Depends on openshift/library-go#2009" is related to the changeset and provides useful context about the dependency chain. Since the PR is updating the library-go dependency via a replace directive, mentioning that it depends on a specific upstream PR in the library-go repository appropriately contextualizes the change and explains its relationship to external work.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between edf6957 and e340297.

⛔ Files ignored due to path filters (14)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/admissionregistration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/networking.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/revisioncontroller/revision_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/manifests/guard-pod.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/swap_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/swap_other.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/sync.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/types/file.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 0bec046 and ef221da.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/networking.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/file_utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod (1 hunks)

🔇 Additional comments (1)

go.mod (1)

136-136: No action needed for the blank line.

[tchap]

/retest

[tchap]

/test e2e-short-cert-rotation
/test e2e-metal-ovn-sno-cert-rotation-shutdown-90d
/test e2e-metal-ovn-ha-cert-rotation-suspend-180d

[tchap]

/retest

[tchap]

/retest

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

137-137: Fork replace: add inline TODO and ensure module hygiene.

Keep the fork pinned, but annotate intent and revert plan; run tidy/vendor and commit go.sum.

Apply this diff to document the temporary replace:

+// TEMP: redirect library-go to fork for cert-syncer WIP.
+// TODO: revert to upstream once https://github.com/openshift/library-go/pull/2009 merges.
 replace github.com/openshift/library-go => github.com/tchap/library-go v0.0.0-20251014095330-6b52148a887b

To verify and tidy:

#!/bin/bash
set -euo pipefail

# Show effective replace
go list -m -json github.com/openshift/library-go | jq '{Path,Version,Replace}'

# Tidy and (if applicable) vendor
go mod tidy
if [ -d vendor ]; then go mod vendor; fi

# Confirm only a single version per key deps is present
echo "k8s.io/apimachinery versions:"
go mod graph | rg -nP '\bk8s\.io/apimachinery@' | awk '{print $2}' | sort -u

echo "openshift/api and openshift/client-go edges:"
go mod graph | rg -nP 'openshift/(api|client-go)@'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 69bca0a and 2b94fa3.

⛔ Files ignored due to path filters (47)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/OWNERS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_cli_download.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_link.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/legacyconfig/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machinehealthcheck.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_etcd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod/certsync_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/installerpod/cmd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/swap_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/swap_other.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/atomicdir/sync.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/staticpod/internal/dirutils/remove_content.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod (2 hunks)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2b94fa3 and 0819290.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (1 hunks)

[tchap]

/test e2e-short-cert-rotation
/test e2e-metal-ovn-sno-cert-rotation-shutdown-90d
/test e2e-metal-ovn-ha-cert-rotation-suspend-180d

[tchap]

/retest

[tchap]

This is actually blocked by #1946

[tchap]

/retest

[tchap]

/retest-required

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-33013, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@tchap: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-single-node	69bca0a	link	false	/test e2e-gcp-operator-single-node
ci/prow/e2e-aws-ovn-single-node	69bca0a	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-aws-operator-disruptive-single-node	69bca0a	link	false	/test e2e-aws-operator-disruptive-single-node
ci/prow/e2e-azure-ovn	69bca0a	link	false	/test e2e-azure-ovn
ci/prow/e2e-metal-ovn-ha-cert-rotation-suspend-180d	35c5b96	link	false	/test e2e-metal-ovn-ha-cert-rotation-suspend-180d
ci/prow/e2e-metal-ovn-sno-cert-rotation-shutdown-90d	35c5b96	link	false	/test e2e-metal-ovn-sno-cert-rotation-shutdown-90d

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tchap]

/retest-required

[p0lyn0mial]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: p0lyn0mial, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangke19]

/payload-aggregate periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-vsphere-ipi-proxy-fips-regen-cert-f14

[openshift-ci]

@wangke19: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[wangke19]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-vsphere-ipi-proxy-fips-regen-cert-f14

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-vsphere-ipi-proxy-fips-regen-cert-f14

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/dc638630-bbb5-11f0-9cf6-fad0861451c5-0

[wangke19]

The PR has been pre-merge verified, detail see: https://issues.redhat.com/browse/OCPBUGS-33013?focusedId=28412936&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-28412936

[wangke19]

/verified by Claude AI and @wangke19

[openshift-ci-robot]

@wangke19: This PR has been marked as verified by Claude AI and @wangke19.

In response to this:

/verified by Claude AI and @wangke19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD dd7bd0d and 2 for PR HEAD e340297 in total

[tchap]

/hold

I will merge this on Monday, just to be sure.

[tchap]

/unhold

[openshift-ci-robot]

@tchap: Jira Issue OCPBUGS-33013: All pull requests linked via external trackers have merged:

• openshift/library-go#2009
• openshift/library-go#2026
• openshift/library-go#2027
• openshift/library-go#2028
• openshift/library-go#2036
• openshift/library-go#2038
• openshift/cluster-kube-apiserver-operator#1917
• openshift/cluster-kube-controller-manager-operator#892

Jira Issue OCPBUGS-33013 has been moved to the MODIFIED state.

In response to this:

This aligns the way installerpod and certsyncpod populate/update directories with secrets/configmaps.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.