chore (deps) : update controller-runtime to v0.23.1

[rohanKanojia]

What does this PR do?

This PR updates sigs.k8s.io/controller-runtime from v0.22.1 to v0.23.1, along with corresponding Kubernetes API dependencies to v0.35.0. This is a routine dependency update to ensure the DevWorkspace Operator stays current with the latest stable controller-runtime releases.

What issues does this PR fix or reference?

N/A - This is a routine dependency update for maintenance purposes.

Is it tested? How?

• Existing unit tests validate compatibility with the updated controller-runtime version
• The update only modifies go.mod and go.sum files with dependency version changes
• There is only one breaking change introduced:
  • Existing code of the form builder.WebhookManagedBy(mgr).For(&corev1.Deployment{}) has to be changed to builder.WebhookManagedBy(mgr, &appsv1.Deployment{})

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• New Features

  • Support for numeric comparison operators in taint tolerations, enabling Lt/Gt comparisons (requires TaintTolerationComparisonOperators feature gate).
  • New userAnnotations field for pod certificate configuration to support custom metadata propagation.

• Documentation

  • Clarified that container resize policies cannot be applied to ephemeral containers.

• Chores

  • Updated module dependencies and webhook configuration.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/retest

[dkwon17]

@rohanKanojia when you have a moment, could you please rebase?

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple CRD manifest files updated with schema documentation changes: expanded taint toleration operators to include Lt/Gt comparisons, clarified container resizePolicy restrictions, removed RecoverVolumeExpansionFailure feature gate references, and added userAnnotations field to pod certificate configuration. Go dependency versions bumped. Webhook setup in main.go modified to pass DevWorkspace objects to NewWebhookManagedBy.

Changes

Cohort / File(s)	Summary
CRD Schema Documentation Updates deploy/bundle/manifests/controller.devfile.io_devworkspaceoperatorconfigs.yaml, deploy/bundle/manifests/controller.devfile.io_devworkspaceroutings.yaml, deploy/deployment/kubernetes/combined.yaml, deploy/deployment/kubernetes/objects/devworkspaceoperatorconfigs...yaml, deploy/deployment/kubernetes/objects/devworkspaceroutings...yaml, deploy/deployment/openshift/combined.yaml, deploy/deployment/openshift/objects/devworkspaceoperatorconfigs...yaml, deploy/deployment/openshift/objects/devworkspaceroutings...yaml, deploy/templates/crd/bases/controller.devfile.io_devworkspaceoperatorconfigs.yaml, deploy/templates/crd/bases/controller.devfile.io_devworkspaceroutings.yaml	Updated schema documentation across manifests: expanded taint toleration operator field to support Lt/Gt numeric comparisons (gated by TaintTolerationComparisonOperators); clarified container resizePolicy cannot be set on ephemeral containers; removed feature gate conditional wording from volume expansion resources; added new userAnnotations object field to pod certificate signer configuration for passing unverified metadata to PodCertificateRequest objects.
Go Module Dependencies go.mod	Updated direct and indirect dependency versions for logging, testing, Kubernetes API stack, controller-runtime, Prometheus client, and OpenTelemetry libraries. Removed github.com/pkg/errors indirect dependency; added github.com/Masterminds/semver/v3.
Webhook Setup main.go	Modified DevWorkspace conversion webhook registration to pass DevWorkspace object types as arguments to NewWebhookManagedBy() for both v1alpha1 and v1alpha2 registrations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Manifests bloom with clearer tales,
Numeric operators set sail,
Ephemeral bounds take their place,
Dependencies dance through cyberspace,
Webhooks aligned, all systems hale!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore (deps): update controller-runtime to v0.23.1' accurately describes the main change—updating a critical dependency. However, it omits that Kubernetes API dependencies were also aligned to v0.35.0 and webhook API calls were refactored due to breaking changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 99: Update the pinned vulnerable modules in go.mod: bump
go.opentelemetry.io/otel/sdk from v1.36.0 to at least v1.40.0 and
google.golang.org/grpc to at least v1.79.3 (these are the unique module names to
change), then run module resolution to refresh the go.sum (e.g., update
dependencies and run dependency tidy/resolve so the new versions are recorded
and checksums updated) and verify compilation and tests pass.

In `@main.go`:
- Around line 216-220: The webhook registration errors are currently only logged
and startup continues; change both ctrl.NewWebhookManagedBy(...).Complete()
error checks (for dwv1.DevWorkspace and dwv2.DevWorkspace using mgr) to treat
failures as fatal initialization errors: after logging the error with
setupLog.Error include a process-terminating action (consistent with other
main() setup steps), e.g. call os.Exit(1) or an equivalent fatal logger, so the
manager does not start in a degraded state when conversion webhook registration
fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aefb06e4-2a5e-4ad1-b807-2739fec3e9ed

📥 Commits

Reviewing files that changed from the base of the PR and between 441bcb2 and d254509.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• deploy/bundle/manifests/controller.devfile.io_devworkspaceoperatorconfigs.yaml
• deploy/bundle/manifests/controller.devfile.io_devworkspaceroutings.yaml
• deploy/deployment/kubernetes/combined.yaml
• deploy/deployment/kubernetes/objects/devworkspaceoperatorconfigs.controller.devfile.io.CustomResourceDefinition.yaml
• deploy/deployment/kubernetes/objects/devworkspaceroutings.controller.devfile.io.CustomResourceDefinition.yaml
• deploy/deployment/openshift/combined.yaml
• deploy/deployment/openshift/objects/devworkspaceoperatorconfigs.controller.devfile.io.CustomResourceDefinition.yaml
• deploy/deployment/openshift/objects/devworkspaceroutings.controller.devfile.io.CustomResourceDefinition.yaml
• deploy/templates/crd/bases/controller.devfile.io_devworkspaceoperatorconfigs.yaml
• deploy/templates/crd/bases/controller.devfile.io_devworkspaceroutings.yaml
• go.mod
• main.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Confirm vulnerable versions are currently pinned in go.mod
rg -n 'go\.opentelemetry\.io/otel/sdk v1\.36\.0|google\.golang\.org/grpc v1\.72\.2' go.mod

# 2) Query OSV for each module@version
python - <<'PY'
import json
import urllib.request

targets = [
    ("go.opentelemetry.io/otel/sdk", "1.36.0"),
    ("google.golang.org/grpc", "1.72.2"),
]

for mod, ver in targets:
    payload = json.dumps({
        "package": {"ecosystem": "Go", "name": mod},
        "version": ver
    }).encode("utf-8")
    req = urllib.request.Request(
        "https://api.osv.dev/v1/query",
        data=payload,
        headers={"Content-Type": "application/json"},
    )
    with urllib.request.urlopen(req, timeout=20) as resp:
        data = json.load(resp)

    vulns = data.get("vulns", [])
    print(f"\n{mod}@{ver}: {len(vulns)} vulnerability record(s)")
    for v in vulns:
        aliases = ",".join(v.get("aliases", []))
        print(f"- {v.get('id')} aliases=[{aliases}]")
        for a in v.get("affected", []):
            for r in a.get("ranges", []):
                for e in r.get("events", []):
                    if "fixed" in e:
                        print(f"  fixed: {e['fixed']}")
PY

Repository: devfile/devworkspace-operator

Length of output: 2773

---

🌐 Web query:

go.opentelemetry.io/otel/sdk v1.36.0 vulnerability CVE advisory

💡 Result:

The go.opentelemetry.io/otel/sdk v1.36.0 is vulnerable to CVE-2026-24051 (also known as GHSA-9h8m-3fm2-qjrq and GO-2026-4394). This is a high-severity vulnerability (CVSS 7.0-7.3) involving arbitrary code execution via PATH hijacking on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the 'ioreg' command without a secure PATH, allowing local attackers who can modify the PATH environment variable to execute malicious code in the application's context. Affected versions: v1.20.0 through v1.39.0 (specifically >=1.21.0, <1.40.0 in some reports). Fixed in v1.40.0 via commit d45961bcda453fcbdb6469c22d6e88a1f9970a53. Official advisory: GHSA-9h8m-3fm2-qjrq. Update to v1.40.0 or later. Only exploitable on macOS/Darwin with local PATH modification access.

Citations:

• 1: https://vulert.com/vuln-db/opentelemetry-go-sdk-vulnerable-to-arbitrary-code-execution-via-path-hijacking-in-go-opentelemetry-i-
• 2: https://opentelemetry.io/docs/security/cve/
• 3: https://scout.docker.com/vulnerabilities/id/CVE-2026-24051?n=sdk&ns=go.opentelemetry.io%2Fotel&s=github&t=golang&vr=%3E%3D1.21.0%2C%3C1.40.0
• 4: GHSA-9h8m-3fm2-qjrq
• 5: https://pkg.go.dev/vuln/GO-2026-4394
• 6: https://osv.dev/vulnerability/GO-2026-4394
• 7: https://vulert.com/vuln-db/CVE-2026-24051
• 8: https://nvd.nist.gov/vuln/detail/cve-2026-24051

---

🌐 Web query:

google.golang.org/grpc v1.72.2 vulnerability CVE advisory

💡 Result:

Yes, google.golang.org/grpc v1.72.2 is vulnerable to CVE-2026-33186, a critical authorization bypass vulnerability (CVSS 9.1). CVE-2026-33186 affects google.golang.org/grpc versions prior to 1.79.3. The issue is an authorization bypass in gRPC-Go servers due to improper validation of the HTTP/2 :path pseudo-header. The server accepts requests missing the leading slash in :path (e.g., "Service/Method" instead of "/Service/Method"). While routing succeeds, path-based authorization interceptors (like grpc/authz) evaluate the non-canonical path, bypassing "deny" rules that expect canonical paths with leading slashes if a fallback "allow" exists. This impacts servers using path-based auth interceptors with deny rules for canonical paths and a default allow. v1.72.2, released around early March 2026, is before the fixed v1.79.3 (March 17, 2026). Fix: Upgrade to v1.79.3 or later. Mitigations: Add unary interceptor to reject paths without leading slash; use reverse proxy to enforce HTTP/2 compliance; harden auth policies to avoid fallback allows. Official advisory: GHSA-p77j-4mvh-x3m3

Citations:

• 1: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172
• 2: GHSA-p77j-4mvh-x3m3
• 3: https://dbugs.ptsecurity.com/vulnerability/PT-2026-26207
• 4: https://app.opencve.io/cve/?product=grpc-go&vendor=grpc
• 5: Security: google.golang.org/grpc Incorrect Authorization (SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172) argoproj/argo-events#3955
• 6: https://security.snyk.io/package/golang/google.golang.org%2Fgrpc
• 7: https://pkg.go.dev/google.golang.org/grpc@v1.72.2
• 8: https://pkg.go.dev/google.golang.org/grpc@v1.72.0
• 9: https://nvd.nist.gov/vuln/detail/CVE-2026-33186

---

Upgrade vulnerable dependencies to patch critical security issues.

Line 99 pins go.opentelemetry.io/otel/sdk v1.36.0 (CVE-2026-24051, CVSS 7.0–7.3: PATH hijacking on macOS) and line 117 pins google.golang.org/grpc v1.72.2 (CVE-2026-33186, CVSS 9.1: authorization bypass via HTTP/2 :path validation). Upgrade to v1.40.0+ and v1.79.3+ respectively before release.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 99-99: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 99-99: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 99, Update the pinned vulnerable modules in go.mod: bump
go.opentelemetry.io/otel/sdk from v1.36.0 to at least v1.40.0 and
google.golang.org/grpc to at least v1.79.3 (these are the unique module names to
change), then run module resolution to refresh the go.sum (e.g., update
dependencies and run dependency tidy/resolve so the new versions are recorded
and checksums updated) and verify compilation and tests pass.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fail fast if conversion webhook registration fails.

Line 216 and Line 219 only log .Complete() errors and continue startup. If conversion webhook registration fails, the manager can start in a degraded state where version conversions break at runtime. Please treat these as fatal initialization errors (consistent with other setup steps in main()).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 216 - 220, The webhook registration errors are
currently only logged and startup continues; change both
ctrl.NewWebhookManagedBy(...).Complete() error checks (for dwv1.DevWorkspace and
dwv2.DevWorkspace using mgr) to treat failures as fatal initialization errors:
after logging the error with setupLog.Error include a process-terminating action
(consistent with other main() setup steps), e.g. call os.Exit(1) or an
equivalent fatal logger, so the manager does not start in a degraded state when
conversion webhook registration fails.