This user story focuses on implementing dependency management for the aws-load-balancer-operator and aws-load-balancer-controller repositories. We are specifically interested in two types of dependencies: Go modules and Containerfile base/builder images.

For Go module management:

• Go module updates should be automatically handled by Konflux's MintMaker, but only for the aws-load-balancer-operator repository.
• The aws-load-balancer-controller repository should continue receiving Go module updates via regular upstream rebases.
• Applying automatic Go module updates to aws-load-balancer-controller may lead to unresolvable rebase conflicts and is therefore not desired.
• We are only interested in Go module updates that address known CVEs. Frequent updates to all modules introduce excessive noise and risk and should be avoided.

For Containerfile management:

• Base and builder image updates should be applied regularly.
• We need to explore options to restrict updates to specific major/minor versions, avoiding unwanted automatic migrations.
• In particular, RHEL major version migrations and minor Go version updates should not be performed automatically through MintMaker.

Acceptance criteria

• Base and builder images of aws-load-balancer-operator are updated to the latest RHEL9/Golang available.
• Gomod dependencies of aws-load-balancer-operator don't have critical or high CVEs.
• Base and builder images of aws-load-balancer-controller are updated to the latest RHEL9/Golang available.
• Clair, ClamAV and deprecated-base-image checks of the build pipelines are green for both aws-load-balancer-operator and aws-load-balancer-controller.

Useful links

• Konflux documentation: dependency management.
• Example of go module updates limited to CVE: PR (potential problem with go mod commands).
• Example of go module updates disabled: PR.
• https://issues.redhat.com/browse/OCPBUGS-46442