NO-ISSUE: bumping to to 1.25 in the backplane-2.8 branch

andrej1991 · openshift-merge-bot[bot] · commit 6ce0bd53eaca · 2026-02-26T12:09:04.000Z
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,78 @@
+version: "2"
+run:
+  concurrency: 4
+  timeout: 5m
+  issues-exit-code: 1
+  tests: true
+output:
+  print-issued-lines: true
+  print-linter-name: true
+linters:
+  enable:
+    - staticcheck
+    - unused
+    - govet
+    - gocyclo
+    - gosec
+    - unconvert
+  settings:
+    govet:
+      enable:
+        - shadow
+      settings:
+        printf:
+          funcs:
+            - Infof
+            - Warnf
+            - Errorf
+            - Fatalf
+    gosec:
+      excludes:
+        - G107
+        - G115
+        - G401
+        - G402
+        - G501
+    staticcheck:
+      checks:
+        - "all"
+        - "-ST1001"
+        - "-ST1003"
+        - "-ST1005"
+        - "-ST1008"
+        - "-ST1016"
+        - "-ST1019"
+        - "-ST1023"
+        - "-QF1001"
+        - "-QF1003"
+        - "-QF1011"
+  exclusions:
+    rules:
+    - linters:
+        - staticcheck
+      text: 'QF1008: could remove embedded field'
+    - linters:
+        - gosec
+      text: 'G306: Expect WriteFile permissions to be 0600 or less'
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  uniq-by-line: true
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 as builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.21 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
diff --git a/Dockerfile.konflux b/Dockerfile.konflux
@@ -1,4 +1,4 @@
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.24 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.25 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
diff --git a/Makefile b/Makefile
@@ -60,6 +60,8 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+TEST ?= $(shell go list -f '{{if or .TestGoFiles .XTestGoFiles}}{{.ImportPath}}{{end}}' ./...)
+
 PROJECT_DIR := $(shell dirname $(abspath $(firstword $(MAKEFILE_LIST))))
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
@@ -113,7 +115,7 @@ golangci-lint: ## Run golangci-lint against code.
 
 .PHONY: test
 test: manifests generate fmt vet ## Run tests.
-	go test ./... -coverprofile cover.out
+	go test $(TEST) -coverprofile cover.out
 
 .PHONY: deploy-integration-test
 deploy-integration-test:
@@ -185,7 +187,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.2
+CONTROLLER_TOOLS_VERSION ?= v0.17.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -20,7 +20,7 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" //nolint:gosec // G108: pprof only enabled via --start-pprof and bound to localhost:6060
 	"net/url"
 	"os"
 	"time"
diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -8,6 +8,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"syscall"
+	"time"
 
 	"github.com/kelseyhightower/envconfig"
 	"github.com/openshift/image-based-install-operator/internal/imageserver"
@@ -42,7 +43,8 @@ func main() {
 	}
 	http.Handle("/images/", s)
 	server := &http.Server{
-		Addr: fmt.Sprintf(":%s", Options.Port),
+		Addr:              fmt.Sprintf(":%s", Options.Port),
+		ReadHeaderTimeout: 5 * time.Second,
 	}
 
 	go func() {
diff --git a/config/crd/bases/extensions.hive.openshift.io_imageclusterinstalls.yaml b/config/crd/bases/extensions.hive.openshift.io_imageclusterinstalls.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.17.0
   name: imageclusterinstalls.extensions.hive.openshift.io
 spec:
   group: extensions.hive.openshift.io
@@ -150,8 +150,27 @@ spec:
                       during installation and used for tagging/naming resources in
                       cloud providers.
                     type: string
+                  metadataJSONSecretRef:
+                    description: |-
+                      MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+                      installer, potentially scrubbed for sensitive data.
+                    properties:
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
                   platform:
-                    description: Platform holds platform-specific cluster metadata
+                    description: |-
+                      Platform holds platform-specific cluster metadata.
+                      Deprecated. Use the Secret referenced by MetadataJSONSecretRef instead. We may stop
+                      populating this section in the future.
                     properties:
                       aws:
                         description: AWS holds AWS-specific cluster metadata
@@ -160,14 +179,18 @@ spec:
                             description: |-
                               HostedZoneRole is the role to assume when performing operations
                               on a hosted zone owned by another account.
+                              Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                              may stop populating this section in the future.
                             type: string
                         type: object
                       azure:
                         description: Azure holds azure-specific cluster metadata
                         properties:
                           resourceGroupName:
-                            description: ResourceGroupName is the name of the resource
-                              group in which the cluster resources were created.
+                            description: |-
+                              ResourceGroupName is the name of the resource group in which the cluster resources were created.
+                              Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                              may stop populating this section in the future.
                             type: string
                         required:
                         - resourceGroupName
@@ -176,7 +199,10 @@ spec:
                         description: GCP holds GCP-specific cluster metadata
                         properties:
                           networkProjectID:
-                            description: NetworkProjectID is used for shared VPC setups
+                            description: |-
+                              NetworkProjectID is used for shared VPC setups
+                              Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                              may stop populating this section in the future.
                             type: string
                         type: object
                     type: object
diff --git a/controllers/imageclusterinstall_controller.go b/controllers/imageclusterinstall_controller.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"bytes"
 	"context"
+
 	// These are required for image parsing to work correctly with digest-based pull specs
 	// See: https://github.com/opencontainers/go-digest/blob/v1.0.0/README.md#usage
 	_ "crypto/sha256"
@@ -510,7 +511,7 @@ func (r *ImageClusterInstallReconciler) updateBMHProvisioningState(ctx context.C
 	if bmh.Status.Provisioning.State != bmh_v1alpha1.StateAvailable && bmh.Status.Provisioning.State != bmh_v1alpha1.StateExternallyProvisioned {
 		return nil
 	}
-	log.Infof("Updating BareMetalHost %s/%s provisioning state, current PoweredOn status is: %s", bmh.Namespace, bmh.Name, bmh.Status.PoweredOn)
+	log.Infof("Updating BareMetalHost %s/%s provisioning state, current PoweredOn status is: %t", bmh.Namespace, bmh.Name, bmh.Status.PoweredOn)
 	if bmh.Status.Provisioning.State == bmh_v1alpha1.StateAvailable {
 		if !bmh.Spec.ExternallyProvisioned {
 			log.Infof("Setting BareMetalHost (%s/%s) ExternallyProvisioned spec", bmh.Namespace, bmh.Name)
@@ -934,7 +935,9 @@ func (r *ImageClusterInstallReconciler) writeImageBaseConfig(ctx context.Context
 		return err
 	}
 	releaseRegistry, err := r.imageSetRegistry(ctx, ici)
-
+	if err != nil {
+		return err
+	}
 	return installer.WriteImageBaseConfig(ctx, ici, releaseRegistry, nmstate, file)
 }
 
diff --git a/controllers/imageclusterinstall_controller_test.go b/controllers/imageclusterinstall_controller_test.go
@@ -164,7 +164,7 @@ var _ = Describe("Reconcile", func() {
 		clusterDeployment       *hivev1.ClusterDeployment
 		pullSecret              *corev1.Secret
 		installerMock           *installer.MockInstaller
-		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
+		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec
 	)
 
 	BeforeEach(func() {
@@ -1807,7 +1807,7 @@ var _ = Describe("Reconcile with DataImageCoolDownPeriod set to 1 second", func(
 		clusterDeployment       *hivev1.ClusterDeployment
 		pullSecret              *corev1.Secret
 		installerMock           *installer.MockInstaller
-		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
+		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec
 	)
 
 	installerSuccess := func() {
diff --git a/controllers/imageclusterinstall_monitor_test.go b/controllers/imageclusterinstall_monitor_test.go
@@ -39,7 +39,7 @@ var _ = Describe("Monitor", func() {
 		clusterDeployment       *hivev1.ClusterDeployment
 		bmh                     *bmh_v1alpha1.BareMetalHost
 		pullSecret              *corev1.Secret
-		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
+		testPullSecretVal       = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec //fake credentials for testing
 	)
 
 	BeforeEach(func() {
diff --git a/go.mod b/go.mod
@@ -1,8 +1,8 @@
 module github.com/openshift/image-based-install-operator
 
-go 1.24.0
+go 1.25.0
 
-toolchain go1.24.10
+toolchain go1.25.5
 
 require (
 	github.com/containers/image/v5 v5.31.0
diff --git a/hack/golangci-lint.sh b/hack/golangci-lint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-VERSION="1.55.2"
+VERSION="2.8.0"
 
 rootdir=$(git rev-parse --show-toplevel)
 if [ -z "${rootdir}" ]; then
diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
@@ -23,15 +23,15 @@ import (
 )
 
 const (
-	SecretResourceLabel         = "image-based-installed.openshift.io/created"
+	SecretResourceLabel         = "image-based-installed.openshift.io/created" //nolint:gosec
 	SecretResourceValue         = "true"
 	DefaultUser                 = "kubeadmin"
 	Kubeconfig                  = "kubeconfig"
 	kubeadmincreds              = "kubeadmincreds"
 	kubeAdminKey                = "password"
 	SeedReconfigurationFileName = "manifest.json"
 
-	secretPreservationLabel = "siteconfig.open-cluster-management.io/preserve"
+	secretPreservationLabel = "siteconfig.open-cluster-management.io/preserve" //nolint:gosec
 	secretPreservationValue = "cluster-identity"
 )
 
diff --git a/internal/credentials/credentials_test.go b/internal/credentials/credentials_test.go
@@ -368,7 +368,7 @@ var _ = Describe("Credentials", func() {
 			createSecret(secretName, map[string][]byte{key: val})
 
 			ref := types.NamespacedName{Name: secretName, Namespace: clusterDeployment.Namespace}
-			val, exists, err := cm.getSecretContent(ctx, ref, key)
+			_, exists, err := cm.getSecretContent(ctx, ref, key)
 
 			Expect(err).NotTo(HaveOccurred())
 			Expect(exists).To(BeFalse())
diff --git a/internal/installer/reinstall_test.go b/internal/installer/reinstall_test.go
@@ -46,6 +46,7 @@ platform:
 pullSecret: '{"auths":{"quay.io":{"auth":"dXNlcjpwYXNzCg=="}}}'
 `
 
+//nolint:gosec //fake credentials for testing
 const secretSeedReconfig = `
 {
   "api_version": 1,
@@ -178,7 +179,7 @@ var _ = Describe("WriteReinstallData", func() {
 			idData := credentials.IdentityData{
 				Kubeconfig:        []byte("kubeconfig"),
 				KubeadminPassword: []byte("password"),
-				SeedReconfig:      []byte(data),
+				SeedReconfig:      []byte(data), //nolint:unconvert
 			}
 
 			err = inst.WriteReinstallData(context.Background(), tmpWorkDir, isoWorkDir, idData)
diff --git a/internal/monitor/monitor.go b/internal/monitor/monitor.go
@@ -85,15 +85,15 @@ func clusterVersionStatus(ctx context.Context, log logrus.FieldLogger, c client.
 	for _, cond := range cv.Status.Conditions {
 		if cond.Type == configv1.OperatorAvailable {
 			if !didCVOStarted(log, cv, reconfigurationStartTime) {
-				log.Infof(clusterVersionNotAvailableMessage)
+				log.Info(clusterVersionNotAvailableMessage)
 				return false, clusterVersionNotAvailableMessage, nil
 			}
 			if cond.Status == configv1.ConditionTrue {
 				return true, clusterVersionAvailableMessage, nil
 			}
 			if cond.Type == configv1.OperatorAvailable {
 				message := fmt.Sprintf("ClusterVersion is not yet available because %s: %s", cond.Reason, cond.Message)
-				log.Infof(message)
+				log.Info(message)
 				return false, message, nil
 			}
 		}
@@ -134,7 +134,7 @@ func nodesStatus(ctx context.Context, log logrus.FieldLogger, c client.Client) (
 			if cond.Type == corev1.NodeReady {
 				if cond.Status != corev1.ConditionTrue {
 					message := fmt.Sprintf("Node %s is not yet ready because %s: %s", node.Name, cond.Reason, cond.Message)
-					log.Infof(message)
+					log.Info(message)
 					messages = append(messages, message)
 					nodesReady = false
 				}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 as builder`
	`1`	`+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.21 as builder`
`2`	`2`	`ARG TARGETOS`
`3`	`3`	`ARG TARGETARCH`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.24 as builder`
	`1`	`+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.25 as builder`
`2`	`2`	`ARG TARGETOS`
`3`	`3`	`ARG TARGETARCH`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ var _ = Describe("Monitor", func() {`
`39`	`39`	`clusterDeployment *hivev1.ClusterDeployment`
`40`	`40`	`bmh *bmh_v1alpha1.BareMetalHost`
`41`	`41`	`pullSecret *corev1.Secret`
`42`		- testPullSecretVal = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}`
	`42`	+ testPullSecretVal = `{"auths":{"cloud.openshift.com":{"auth":"dXNlcjpwYXNzd29yZAo=","email":"r@r.com"}}}` //nolint:gosec //fake credentials for testing
`43`	`43`	`)`
`44`	`44`
`45`	`45`	`BeforeEach(func() {`