openshift · sebrandon1 · Nov 24, 2025
diff --git a/pkg/controller/cabundleinjector/starter.go b/pkg/controller/cabundleinjector/starter.go
@@ -3,12 +3,12 @@ package cabundleinjector
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"os"
 	"strings"
 	"time"
 
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	kubeinformers "k8s.io/client-go/informers"
@@ -52,18 +52,18 @@ func StartCABundleInjector(ctx context.Context, controllerContext *controllercmd
 	// TODO(marun) Detect and respond to changes in this path rather than
 	// depending on the operator for redeployment
 	caBundleFile := "/var/run/configmaps/signing-cabundle/ca-bundle.crt"
-	caBundleContent, err := ioutil.ReadFile(caBundleFile)
+	caBundleContent, err := os.ReadFile(caBundleFile)
 	if err != nil {
 		return err
 	}
 
 	// this construction matches what the old kube controller manager did. It added the entire ca.crt to the service-ca.crt.
-	vulnerableLegacyCABundleContent, err := ioutil.ReadFile(caBundleFile)
+	vulnerableLegacyCABundleContent, err := os.ReadFile(caBundleFile)
 	if err != nil {
 		return err
 	}
 	saTokenCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-	saTokenCABundleContent, err := ioutil.ReadFile(saTokenCAFile)
+	saTokenCABundleContent, err := os.ReadFile(saTokenCAFile)
 	if err != nil && !os.IsNotExist(err) {
 		return err
 	}

diff --git a/pkg/controller/servingcert/starter/starter.go b/pkg/controller/servingcert/starter/starter.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"time"
 
@@ -103,7 +102,7 @@ func StartServiceServingCertSigner(ctx context.Context, controllerContext *contr
 // bridge trust between the current and previous CA, but a new cluster
 // will not have a previous CA.
 func readIntermediateCACert(filename string) (*x509.Certificate, error) {
-	certsPEMBlock, err := ioutil.ReadFile(filename)
+	certsPEMBlock, err := os.ReadFile(filename)
 	if os.IsNotExist(err) {
 		klog.V(4).Infof("%q does not exist which indicates that an intermediate certificate was not specified", filename)
 		return nil, nil

diff --git a/test/util/rotate.go b/test/util/rotate.go
@@ -7,7 +7,6 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"os"
@@ -59,7 +58,7 @@ func CheckRotation(t *testing.T, dnsName string, oldCertPEM, oldKeyPEM, oldBundl
 func checkClientTrust(t *testing.T, testName, dnsName string, certPEM, keyPEM, bundlePEM []byte) {
 	// Emulate how a service will consume the serving cert by writing
 	// the cert and key to disk.
-	certFile, err := ioutil.TempFile("", v1.TLSCertKey)
+	certFile, err := os.CreateTemp("", v1.TLSCertKey)
 	if err != nil {
 		t.Fatalf("error creating tmpfile for cert: %v", err)
 
@@ -75,7 +74,7 @@ func checkClientTrust(t *testing.T, testName, dnsName string, certPEM, keyPEM, b
 		t.Fatalf("Error writing cert to disk: %v", err)
 	}
 
-	keyFile, err := ioutil.TempFile("", v1.TLSPrivateKeyKey)
+	keyFile, err := os.CreateTemp("", v1.TLSPrivateKeyKey)
 	if err != nil {
 		t.Fatalf("error creating tmpfile for key: %v", err)