Update controller-runtime to 0.17.3

[JeffeyL]

Changes required to update controller-runtime to 0.17.

Ref: https://issues.redhat.com/browse/ACM-10835

[JustinKuli]

Seems good overall! Kudos for finding the right changes for these odd cache settings

[JustinKuli]

@dhaiducek if I remember right, you added these? I'd like to remove any of them if possible... is it as simple as removing it here, running a tidy, and then running some test somewhere involving go test -u? (that last bit is where I get lost)

[dhaiducek]

Yeah, they were set so that Go could programmatically find an unblocked upgrade path with go get -u. During an upgrade, they should be removed entirely and replacements added back on an as-needed basis with the highest possible version.

[JustinKuli]

This might be a good time to clean up some of these replace directives for CVEs. I think that if you remove them here, and check the version it would choose (maybe in the go.sum after running a tidy), we can see if that would still be affected by this CVE. I expect some of them might have been updated in our direct dependencies, and so we don't need the replace anymore.

If this ends up being a big task, we can split it out into another issue.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JeffeyL, mprahl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mprahl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dhaiducek]

I have concerns that removing this block re-introduced affected versions of these packages in go.sum. Is updating the indirects sufficient to resolve the CVEs?

[JustinKuli]

We might be ok - from what I'm reading in https://go.dev/ref/mod#go-sum-files, I think that the <module> <version>/go.mod entries that are now in the go.sum file and refer to older (possibly affected) versions are not actually being used. But I'm going to research this some more because it would be really nice to get rid of some of these directives

[mprahl]

Before approving the PR, I researched this and my understanding is that what is actually used is in go.mod but go.sum has all the entries of the Go modules that the minimal version selection algorithm looked at to come up with the go.mod result.

[JustinKuli]

Ok, I think go list -m <module> gives a less ambiguous answer to what version of the dependency is being used, and shows that these are good:

❯ go list -m golang.org/x/crypto
golang.org/x/crypto v0.21.0

❯ go list -m golang.org/x/net
golang.org/x/net v0.22.0

❯ go list -m golang.org/x/text                                                                                                                              
golang.org/x/text v0.14.0

❯ go list -m gopkg.in/yaml.v2
gopkg.in/yaml.v2 v2.4.0

[dhaiducek]

Nice--if that's the case, then we can stop using replace for CVEs!