[Release-4.17] OCPBUGS-80129: Update grpc-go to v1.71.3-sec.1 to fix CVE-2026-33186

[MrSanketkumar]

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.71.3-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• Updated vendor directories

CI Unit Test Fix

 - Updated setup-envtest from v0.0.0-20230606045100 (June 2023) to v0.0.0-20240820183333 (August 2024)
 - Fixes "fork/exec /usr/local/kubebuilder/bin/etcd: no such file or directory" error
 - The old setup-envtest version didn't support downloading Kubernetes 1.30.x control plane binaries required for envtest
 - Updated files: `.bingo/setup-envtest.mod`, `.bingo/setup-envtest.sum`, `.bingo/Variables.mk`, `.bingo/variables.env`

Summary by CodeRabbit

Chores

• Updated Go module dependencies throughout the project to current versions, including testify (v1.9.0 → v1.10.0), Google Cloud compute metadata (v0.3.0 → v0.6.0), OpenTelemetry instrumentation and exporter packages, golang system libraries, and protocol buffer modules.

[coderabbitai]

Walkthrough

Go module dependencies are upgraded across the main module and sub-module, including testify, Google Cloud metadata, OpenTelemetry ecosystem, and multiple golang.org/x and google.golang.org packages. A replace directive is added to both go.mod files to redirect google.golang.org/grpc to the OpenShift-sustaining fork (v1.71.3-sec.1) instead of the upstream version.

Changes

Dependency Updates and gRPC Fork Replacement

Layer / File(s)	Summary
Main module dependency upgrades go.mod	Testify is bumped to v1.10.0, compute/metadata to v0.6.0, and a bulk upgrade applies to OpenTelemetry modules (otel, SDK, instrumentation, exporters) plus golang.org/x libraries (crypto, net, oauth2, sync, sys, term, text) and Google ecosystem packages (genproto, grpc, protobuf).
gRPC fork replacement across modules go.mod, openshift/default-catalog-consistency/go.mod	A replace directive is added to both the main and sub-module to redirect google.golang.org/grpc to the OpenShift-sustaining fork at v1.71.3-sec.1, ensuring consistent use of the patched version across the module tree.
Sub-module dependency synchronization openshift/default-catalog-consistency/go.mod	Indirect dependency versions are bumped to align with the main module, including golang.org/x/oauth2 and coordinated updates to google.golang.org packages (genproto/googleapis/rpc, grpc, protobuf).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• openshift/operator-framework-operator-controller#731: Both PRs modify go.mod to replace google.golang.org/grpc with github.com/openshift-sustaining/grpc-go (different patched versions), creating direct dependency overlap.
• openshift/operator-framework-operator-controller#727: Both PRs modify the go.mod dependency graph around google.golang.org/grpc, with this PR adding a replace directive while the related PR adjusts the version.

Suggested labels

lgtm, backport-risk-assessed

🚥 Pre-merge checks | ✅ 5 | ❌ 7

❌ Failed checks (7 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating grpc-go to address CVE-2026-33186, which matches the primary objective and modifications in go.mod files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80129, which is invalid:

• expected dependent Jira Issue OCPBUGS-80304 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.71.3-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• Updated vendor directories

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[MrSanketkumar]

/test unit

[MrSanketkumar]

/test unit

[MrSanketkumar]

/retest-required

[perdasilva]

it seems updating setup-envtest in bingo makes the unit tests pass - but it also seems to bump the go version =/

[MrSanketkumar]

it seems updating setup-envtest in bingo makes the unit tests pass - but it also seems to bump the go version =/

Yes, but the setup-envtest bump is from 1.20 to 1.22, which I don’t think should break anything because our go.mod already uses Go 1.22, and we also build with the same version. So there ideally should not be any issue.

Should I raise a fix PR with this change and verify whether all CI jobs pass, or is there any other approach I should follow? I’m not very familiar with this area.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80129, which is invalid:

• expected dependent Jira Issue OCPBUGS-80304 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.71.3-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• Updated vendor directories

CI Unit Test Fix
- Updated setup-envtest from v0.0.0-20230606045100 (June 2023) to v0.0.0-20240820183333 (August 2024)
- Fixes "fork/exec /usr/local/kubebuilder/bin/etcd: no such file or directory" error
- The old setup-envtest version didn't support downloading Kubernetes 1.30.x control plane binaries required for envtest
- Updated files: .bingo/setup-envtest.mod, .bingo/setup-envtest.sum, .bingo/Variables.mk, .bingo/variables.env

Summary by CodeRabbit

Chores

• Updated Go module dependencies throughout the project to current versions, including testify (v1.9.0 → v1.10.0), Google Cloud compute metadata (v0.3.0 → v0.6.0), OpenTelemetry instrumentation and exporter packages, golang system libraries, and protocol buffer modules.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[perdasilva]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrSanketkumar, perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[perdasilva]

/jira refresh

[openshift-ci-robot]

@perdasilva: This pull request references Jira Issue OCPBUGS-80129, which is invalid:

• expected dependent Jira Issue OCPBUGS-80304 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.