Conversation
Bumps golang from 1.24 to 1.26. --- updated-dependencies: - dependency-name: golang dependency-version: '1.26' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
Compatibility Review: Go 1.24 → 1.26
All 14 CI checks pass (Build, Lint, Unit Tests, E2E, CodeQL, Trivy, etc.), which is a strong signal. However, this is a two-version jump (skipping 1.25), so here's a deeper look at what changes.
Current State
- Dockerfile:
golang:1.24→golang:1.26(this PR) - go.mod:
go 1.24.0(unchanged) - go.mod:
godebug default=go1.23(unchanged)
What godebug default=go1.23 Protects Against
The godebug line pins Go 1.23 default behaviors, so these changes are gated and won't affect the operator:
| Change | Go version | Effect of go1.23 godebug |
|---|---|---|
| Container-aware GOMAXPROCS | 1.25 | Stays disabled — ignores cgroup CPU limits |
| SHA-1 disallowed in TLS 1.2 | 1.25 | SHA-1 remains allowed |
| Post-quantum TLS key exchanges | 1.24 + 1.26 | PQ disabled — no large ClientHello |
net/url.Parse rejects malformed colons in host |
1.26 | Old permissive behavior kept |
| SubjectKeyId uses SHA-256 | 1.25 | Keeps SHA-1 |
| DoS limits (cookie/query param) | 1.26 | No limits (old behavior) |
What Is NOT Protected by godebug (applies regardless)
| Change | Go version | Impact |
|---|---|---|
| Green Tea GC enabled by default | 1.26 | 10-40% GC overhead reduction. Compiler/runtime change, not godebug-gated. Should improve reconciler loop performance. Opt-out: GOEXPERIMENT=nogreenteagc |
| Stricter TLS spec compliance | 1.25 | Partially ungated. Could break connections to non-compliant TLS peers |
| ServeMux trailing slash: 301 → 307 | 1.26 | Unconditional. Minimal risk since controller-runtime registers exact paths |
| Compiler surfaces unsafe.Pointer bugs | 1.25-1.26 | More stack allocation for slice backing stores amplifies existing unsafe.Pointer bugs. controller-runtime/client-go use unsafe in a few places |
io.ReadAll allocation change |
1.26 | ~2x faster, less intermediate memory. Performance win |
Recommendation
The PR is safe to merge given passing CI. However, a follow-up should consider:
- Bump
go.modtogo 1.26.0to eliminate the Dockerfile/go.mod version skew - Bump
godebug default=go1.25orgo1.26to pick up container-aware GOMAXPROCS and DoS protections (after verifying no code depends on old behaviors) - Watch for TLS handshake failures (stricter spec compliance) and potential crashes from unsafe.Pointer stack-allocation changes in early rollout
Note:
godebug default=go1.23is currently blocking several beneficial security defaults (DoS limits, RSA minimum key size, SHA-1 deprecation). Updating this separately is worth considering.
| @@ -1,5 +1,5 @@ | |||
| # Build the manager binary | |||
| FROM docker.io/golang:1.24 AS builder | |||
| FROM docker.io/golang:1.26 AS builder | |||
There was a problem hiding this comment.
Compatibility note: The Dockerfile now uses Go 1.26 to compile, but go.mod still declares go 1.24.0 with godebug default=go1.23. This is a supported configuration (Go toolchain is backward-compatible), but creates a version skew.
The binary gets Go 1.26 runtime (including the new Green Tea GC) while the module's language features and godebug behaviors stay at 1.23/1.24 level.
Consider a follow-up PR to bump go.mod to go 1.26.0 and evaluate updating godebug default=go1.25 or later to pick up container-aware GOMAXPROCS and DoS protections.
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
Compatibility Review: Go 1.24 → 1.26 (APPROVE)
All 14 CI checks pass. The godebug default=go1.23 in go.mod shields the operator from most breaking behavioral changes in 1.25/1.26.
Safe (godebug-gated): Container-aware GOMAXPROCS, SHA-1 in TLS, post-quantum TLS, URL parse strictness, DoS limits — all retain old behavior.
Ungated (beneficial): Green Tea GC (10-40% less overhead), faster io.ReadAll — performance wins.
Ungated (low risk): Stricter TLS spec compliance (partially ungated), ServeMux 301→307 trailing slash (minimal risk with controller-runtime).
Follow-up recommended:
- Bump
go.modtogo 1.26.0to eliminate Dockerfile/go.mod version skew - Bump
godebug default=go1.25orgo1.26to pick up container-aware GOMAXPROCS and DoS protections
Safe to merge as-is.
1 participant
Bumps golang from 1.24 to 1.26.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)