Update k8s.io/kube-openapi digest to 865597e

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
k8s.io/kube-openapi	indirect	digest	8949caa → 865597e

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 112e4bb and 2 for PR HEAD bafe91f in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 77eb272 and 1 for PR HEAD bafe91f in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e604438 and 0 for PR HEAD bafe91f in total

[openshift-merge-bot]

/hold

Revision bafe91f was retested 3 times: holding

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the indirect dependency k8s.io/kube-openapi in go.mod to a newer commit hash (v0.0.0-20260603220949-865597e52e25), replacing the previous version from April 2026.

Changes

Dependency Update

Layer / File(s)	Summary
k8s.io/kube-openapi version bump go.mod	The k8s.io/kube-openapi indirect module dependency is bumped to a more recent commit hash.

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating the k8s.io/kube-openapi dependency digest from one version to another.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/k8s.io-kube-openapi-digest

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 167: go.mod pins k8s.io/kube-openapi at commit 865597e52e25 which is out
of sync with the other Kubernetes modules (k8s.io/api, k8s.io/apimachinery,
k8s.io/client-go) at v0.35.4; update the k8s.io/kube-openapi entry to the
version Kubernetes v0.35.4 expects (v0.0.0-20250910181357-589584f1c912) or,
alternatively, bump all Kubernetes-related modules together to a consistent
release; modify the k8s.io/kube-openapi module version string in go.mod (the
k8s.io/kube-openapi line) so it matches the chosen approach and then run go mod
tidy to regenerate go.sum and ensure module graph consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 46b81498-0ee8-417e-83bb-6f759e7de298

📥 Commits

Reviewing files that changed from the base of the PR and between fda9f13 and 5f9b68e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for security advisories for k8s.io/kube-openapi

# Check for GitHub security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "k8s.io/kube-openapi") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

# Verify the commit exists in the repository
echo "Checking if commit 865597e52e25 exists..."
gh api repos/kubernetes/kube-openapi/commits/865597e52e25 --jq '.sha, .commit.author.date, .commit.message' 2>&1

Repository: openshift/lightspeed-operator

Length of output: 371

---

🌐 Web query:

k8s.io/kube-openapi commit 865597e52e25 changelog security

💡 Result:

I couldn’t locate any source that ties the specific kube-openapi commit 865597e52e25 to a changelog entry or a security fix. What I did find: a recent kube-openapi update in Kubernetes that mentions “key changes upstream” (including an escaping bugfix for JSON-Pointer-reserved characters in generated schema/component names) in PR #138741, but that PR’s referenced kube-openapi revision is b7f5293f4787—not 865597e52e25—and the snippets available don’t mention security implications. Security-related material I found for kube-openapi is general (e.g., the repo’s SECURITY.md and an OpenAPI V3 security requirements PR), but it’s not associated with commit 865597e52e25. So, based on the evidence available from the searches, I can’t confidently answer what security/changelog item 865597e52e25 corresponds to. If you can share the full 40-char commit hash (or a link to the commit/compare view), I can try again and specifically map it to the relevant kube-openapi changelog/security note(s).

Citations:

• 1: bump k8s.io/kube-openapi to v0.0.0-20260502001324-b7f5293f4787 kubernetes/kubernetes#138741
• 2: Add repo SECURITY.md kubernetes/kube-openapi#199
• 3: Add security requirement to root OpenAPI V3 kubernetes/kube-openapi#432
• 4: https://github.com/kubernetes/kube-openapi/tree/ee342a809c29ce286ab48cea8442ef9cd0ab8c1c

---

🌐 Web query:

k8s.io/kube-openapi compatibility with kubernetes 0.35.4

💡 Result:

For Kubernetes v0.35.4, compatibility is achieved by using the kube-openapi version that Kubernetes itself vendors/depends on for that release. In the v0.35.4 line, the kube-apiserver (and related components) depend on k8s.io/kube-openapi at v0.0.0-20250910181357-589584f1c912 [1][2]. In other words: kube-openapi is not “version-compatible” across arbitrary Kubernetes versions; you should align kube-openapi to the Kubernetes release’s expected module version (above) to avoid OpenAPI generation/aggregation mismatches. What this means in practice 1) If you are building extension API servers or clients: match kube-openapi to the Kubernetes branch/release you’re targeting (for k8s 0.35.4, use the kube-openapi commit/version listed above) [1][2]. 2) If you mix versions (kube-openapi newer/older than what kube-apiserver expects), you can hit OpenAPI backward-incompatibility issues—e.g., kube-openapi changes around how model names are generated for OpenAPI v2 aggregation can be backward-incompatible and require Kubernetes-side bumps / kube-openapi bumps [3][4]. Source-backed anchor for Kubernetes OpenAPI generation The kube-apiserver’s OpenAPI handler imports kube-openapi packages (k8s.io/kube-openapi/pkg/util and pkg/validation/spec), so kube-apiserver and kube-openapi must be kept in lockstep for that Kubernetes release series [2].

Citations:

• 1: https://pkg.go.dev/k8s.io/apiserver@v0.35.4
• 2: https://github.com/kubernetes/apiserver/blob/master/pkg/endpoints/openapi/openapi.go
• 3: Backward incompatibility of OpenAPI changes kubernetes/kubernetes#138247
• 4: Fix: Backward incompatibility of OpenAPI changes kubernetes/kubernetes#138266

---

Fix k8s.io/kube-openapi alignment with Kubernetes v0.35.4 (go.mod line 167)

• Commit 865597e52e25 exists in kubernetes/kube-openapi (dated 2026-06-03).
• GitHub security advisory lookup for k8s.io/kube-openapi returns no reported advisories for the queried package.
• Compatibility risk: Kubernetes v0.35.4 is reported to use k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912, but this PR pins v0.0.0-20260603220949-865597e52e25 while keeping k8s.io/api, k8s.io/apimachinery, and k8s.io/client-go at v0.35.4. Align kube-openapi to the v0.35.4 expected module version (or bump the full Kubernetes dependency set together) to avoid OpenAPI aggregation/generation mismatches.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 167, go.mod pins k8s.io/kube-openapi at commit 865597e52e25
which is out of sync with the other Kubernetes modules (k8s.io/api,
k8s.io/apimachinery, k8s.io/client-go) at v0.35.4; update the
k8s.io/kube-openapi entry to the version Kubernetes v0.35.4 expects
(v0.0.0-20250910181357-589584f1c912) or, alternatively, bump all
Kubernetes-related modules together to a consistent release; modify the
k8s.io/kube-openapi module version string in go.mod (the k8s.io/kube-openapi
line) so it matches the chosen approach and then run go mod tidy to regenerate
go.sum and ensure module graph consistency.

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.