CORS-4503: bump cluster-api to v1.12.8

[tthvo]

This PR bumps sigs.k8s.io/cluster-api version to v1.12.8 for both top-level (manifest generation) go.mod and CAPI controller go.mod.

Motivations

There are some benefits to use v1.12 such as:

• Keeping up with CAPI to avoid unexpected breaking changes when we, eventually, migrate to use v1beta2 API (removal in April 2027).
• Getting MachineTaint support on MachineSpec to enable setting node taints via MachineSet /MachineDeployment. This is required for edge compute pool managed via day-2 CAPI/CAPA.

Important

As of CAPI v1.12, v1beta1 API is still available (tentative removal in April 2027); thus, it should still be backwards compatible with installer-generated manifests. See migration guide.

Summary by CodeRabbit

• Chores
  • Updated core dependencies to latest stable versions, including cluster API framework, observability tools, and Kubernetes-related modules for improved compatibility and system stability.

[openshift-ci-robot]

@tthvo: This pull request references CORS-4503 which is a valid jira issue.

Details

In response to this:

This PR bumps sigs.k8s.io/cluster-api version to v1.12.8 for both top-level (manifest generation) go.mod and capi controller go.mod.

The motivation is to get the new node taint support for CAPI machine(set), which is required by edge compute pool if managed by in-cluster CAPI.

Important

As of CAPI v1.12, v1beta1 API is still available (tentative removal in April 2027); thus, it should still be backwards compatible with installer-generated manifests. See migration guide.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sdodson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This pull request updates the OpenShift installer's cluster-api dependency from v1.11.3 to v1.12.8, along with reconciling all transitive dependencies to compatible versions required by the new cluster-api release. The go.mod file is modified to reflect the primary bump and cascading indirect dependency changes across gRPC gateway, observability instrumentation, Kubernetes APIs, and related packages.

Changes

Cluster API and Dependency Upgrades

Layer / File(s)	Summary
Cluster-API primary version bump cluster-api/cluster-api/go.mod	sigs.k8s.io/cluster-api is updated from v1.11.3 to v1.12.8.
Transitive dependency updates cluster-api/cluster-api/go.mod	Indirect dependencies are bumped across the board: grpc-gateway/v2 (v2.27.3 → v2.27.7), OpenTelemetry (go.opentelemetry.io/* from v1.38.0 to v1.40.0 series, with otelhttp additions), go.uber.org/zap, multiple golang.org/x/* and google.golang.org/* modules (genproto, grpc, protobuf), and Kubernetes-related packages (k8s.io/* v0.34.2 → v0.34.3, sigs.k8s.io/controller-runtime, and sigs.k8s.io/structured-merge-diff/v6).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: bumping cluster-api from v1.11.x to v1.12.8, which is the primary purpose of this PR as stated in the objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only go.mod/go.sum files and vendored dependencies. The codebase does not use Ginkgo tests—it uses standard Go testing (testing.T). The check is not applicable.
Test Structure And Quality	✅ Passed	PR modifies only go.mod, go.sum, and vendor/ dependency files. No Ginkgo test code or test files are modified, making the test structure and quality check not applicable to this dependency update PR.
Microshift Test Compatibility	✅ Passed	This PR updates cluster-api dependencies to v1.12.8 via go.mod and vendor updates. No new Ginkgo e2e tests are added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR updates go.mod dependencies for cluster-api v1.12.8 with no new Ginkgo e2e tests added. The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No topology-breaking constraints found. Deployments have replicas: 1, control-plane tolerations only, no anti-affinity, nodeSelector, or topology spread constraints.
Ote Binary Stdout Contract	✅ Passed	PR updates cluster-api to v1.12.8. Main binary properly redirects klog/klogv2/logrus output to io.Discard/os.Stderr. Cluster-api vendor code not executed by openshift-install.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. This PR only updates cluster-api dependency versions in go.mod and vendor files. New test files use standard Go testing, not Ginkgo, so the check does not apply.
No-Weak-Crypto	✅ Passed	No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode usage, custom crypto implementations, or non-constant-time secret comparisons detected in the codebase.
Container-Privileges	✅ Passed	No privileged containers found. All containers have allowPrivilegeEscalation: false, privileged: false, run as non-root (uid 65532), with all capabilities dropped.
No-Sensitive-Data-In-Logs	✅ Passed	PR adds logging with redaction mechanism for sensitive command-line flags (--key, --master); no unredacted passwords, tokens, API keys, or PII exposed in logs.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tthvo]

/cc @patrickdillon

[tthvo]

/hold

I haven't noticed any breaking changes in CAPI v1.12 that, in our installer use case, would require the providers to also bump on their end. Let's see 👀

[tthvo]

/test e2e-azure-ovn
/test e2e-vsphere-ovn e2e-vsphere-static-ovn
/test e2e-openstack-ovn e2e-nutanix-ovn e2e-ibmcloud-ovn e2e-metal-ipi-ovn e2e-powervs-capi-ovn

[tthvo]

/test e2e-ibmcloud-ovn

[tthvo]

/hold cancel

So far, CI results look good :D There is no "breaking" in CAPI v1.12.

[tthvo]

/test e2e-vsphere-ovn-techpreview e2e-vsphere-static-ovn

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack-ovn	d9fbddf	link	true	/test e2e-openstack-ovn
ci/prow/e2e-gcp-xpn-dedicated-dns-project	d9fbddf	link	false	/test e2e-gcp-xpn-dedicated-dns-project
ci/prow/e2e-gcp-xpn-custom-dns	d9fbddf	link	false	/test e2e-gcp-xpn-custom-dns
ci/prow/e2e-nutanix-ovn	d9fbddf	link	false	/test e2e-nutanix-ovn
ci/prow/e2e-powervs-capi-ovn	d9fbddf	link	false	/test e2e-powervs-capi-ovn
ci/prow/e2e-azure-ovn	d9fbddf	link	true	/test e2e-azure-ovn
ci/prow/e2e-ibmcloud-ovn	d9fbddf	link	false	/test e2e-ibmcloud-ovn
ci/prow/e2e-vsphere-ovn-techpreview	d9fbddf	link	false	/test e2e-vsphere-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.