Merge pull request #694 from furkatgofurov7/bump-kustomize-v5

🌱 Align kustomize layover structure with v5 version
kubernetes-sigs · Jan 28, 2025 · 7e7d5cc · 7e7d5cc
2 parents 1fa06ef + b502572
commit 7e7d5cc
Showing 26 changed files with 224 additions and 121 deletions.
diff --git a/Makefile b/Makefile
@@ -23,7 +23,7 @@ ROOT:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
 .DEFAULT_GOAL:=help
 
-GO_VERSION ?= 1.22.5
+GO_VERSION ?= 1.22.11
 GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
 
 # Use GOPROXY environment variable if set
@@ -74,7 +74,7 @@ GOLANGCI_LINT_VER := v1.57.2
 GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)
 
-KUSTOMIZE_VER := v5.3.0
+KUSTOMIZE_VER := v5.6.0
 KUSTOMIZE_BIN := kustomize
 KUSTOMIZE := $(TOOLS_BIN_DIR)/$(KUSTOMIZE_BIN)-$(KUSTOMIZE_VER)
 

diff --git a/Tiltfile b/Tiltfile
@@ -20,7 +20,7 @@ def build_image():
         "SECURITY_CONTACTS"
         ],
        build_args = {
-        "builder_image": "docker.io/library/golang:1.22.5",
+        "builder_image": "docker.io/library/golang:1.22.11",
         }
     )
 

diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
@@ -14,11 +14,11 @@ metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
   namespace: system
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
   dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer
-  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
+  secretName: capi-operator-webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
@@ -6,14 +6,3 @@ nameReference:
   - kind: Certificate
     group: cert-manager.io
     path: spec/issuerRef/name
-
-varReference:
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/commonName
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/dnsNames
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/secretName
diff --git a/config/chart/kustomization.yaml b/config/chart/kustomization.yaml
@@ -9,10 +9,12 @@ namespace: "{{ .Release.Namespace }}"
 namePrefix: capi-operator-
 
 # Labels to add to all resources and selectors.
-commonLabels:
-  clusterctl.cluster.x-k8s.io/core: "capi-operator"
+labels:
+- includeSelectors: true
+  pairs:
+    clusterctl.cluster.x-k8s.io/core: "capi-operator"
 
-bases:
+resources:
 - ../crd
 - ../rbac
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
@@ -27,40 +29,102 @@ patches:
 - path: patches/keep-crds.yaml
   target:
     kind: CustomResourceDefinition
+- path: webhookcainjection_patch.yaml
 
-patchesStrategicMerge:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-- webhookcainjection_patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml
-vars:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-  objref:
+replacements:
+- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
     kind: Certificate
     group: cert-manager.io
     version: v1
     name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
-- name: CERTIFICATE_NAME
-  objref:
+    fieldPath: .metadata.namespace # namespace of the certificate CR
+  targets:
+    - select:
+        kind: ValidatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+    - select:
+        kind: MutatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+    - select:
+        kind: CustomResourceDefinition
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+- source:
     kind: Certificate
     group: cert-manager.io
     version: v1
     name: serving-cert # this name should match the one in certificate.yaml
-- name: SERVICE_NAMESPACE # namespace of the service
-  objref:
+    fieldPath: .metadata.name
+  targets:
+    - select:
+        kind: ValidatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+    - select:
+        kind: MutatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+    - select:
+        kind: CustomResourceDefinition
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+- source: # Add cert-manager annotation to the webhook Service
     kind: Service
     version: v1
     name: webhook-service
-  fieldref:
-    fieldpath: metadata.namespace
-- name: SERVICE_NAME
-  objref:
+    fieldPath: .metadata.name # namespace of the service
+  targets:
+    - select:
+        kind: Certificate
+        group: cert-manager.io
+        version: v1
+      fieldPaths:
+        - .spec.dnsNames.0
+        - .spec.dnsNames.1
+      options:
+        delimiter: '.'
+        index: 0
+        create: true
+- source:
     kind: Service
     version: v1
     name: webhook-service
+    fieldPath: .metadata.namespace # namespace of the service
+  targets:
+    - select:
+        kind: Certificate
+        group: cert-manager.io
+        version: v1
+      fieldPaths:
+        - .spec.dnsNames.0
+        - .spec.dnsNames.1
+      options:
+        delimiter: '.'
+        index: 1
+        create: true
diff --git a/config/chart/kustomizeconfig.yaml b/config/chart/kustomizeconfig.yaml
diff --git a/config/chart/webhookcainjection_patch.yaml b/config/chart/webhookcainjection_patch.yaml
@@ -5,11 +5,11 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -11,27 +11,27 @@ resources:
 - bases/operator.cluster.x-k8s.io_runtimeextensionproviders.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
-patchesStrategicMerge:
+patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-- patches/webhook_in_coreproviders.yaml
-- patches/webhook_in_bootstrapproviders.yaml
-- patches/webhook_in_controlplaneproviders.yaml
-- patches/webhook_in_infrastructureproviders.yaml
-- patches/webhook_in_addonproviders.yaml
-- patches/webhook_in_ipamproviders.yaml
-- patches/webhook_in_runtimeextensionproviders.yaml
+- path: patches/webhook_in_coreproviders.yaml
+- path: patches/webhook_in_bootstrapproviders.yaml
+- path: patches/webhook_in_controlplaneproviders.yaml
+- path: patches/webhook_in_infrastructureproviders.yaml
+- path: patches/webhook_in_addonproviders.yaml
+- path: patches/webhook_in_ipamproviders.yaml
+- path: patches/webhook_in_runtimeextensionproviders.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-- patches/cainjection_in_coreproviders.yaml
-- patches/cainjection_in_bootstrapproviders.yaml
-- patches/cainjection_in_controlplaneproviders.yaml
-- patches/cainjection_in_infrastructureproviders.yaml
-- patches/cainjection_in_addonproviders.yaml
-- patches/cainjection_in_ipamproviders.yaml
-- patches/cainjection_in_runtimeextensionproviders.yaml
+- path: patches/cainjection_in_coreproviders.yaml
+- path: patches/cainjection_in_bootstrapproviders.yaml
+- path: patches/cainjection_in_controlplaneproviders.yaml
+- path: patches/cainjection_in_infrastructureproviders.yaml
+- path: patches/cainjection_in_addonproviders.yaml
+- path: patches/cainjection_in_ipamproviders.yaml
+- path: patches/cainjection_in_runtimeextensionproviders.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml
@@ -12,6 +12,3 @@ namespace:
   group: apiextensions.k8s.io
   path: spec/conversion/webhook/clientConfig/service/namespace
   create: false
-
-varReference:
-- path: metadata/annotations
diff --git a/config/crd/patches/cainjection_in_addonproviders.yaml b/config/crd/patches/cainjection_in_addonproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: addonproviders.operator.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_bootstrapproviders.yaml b/config/crd/patches/cainjection_in_bootstrapproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: bootstrapproviders.operator.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_controlplaneproviders.yaml b/config/crd/patches/cainjection_in_controlplaneproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: controlplaneproviders.operator.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_coreproviders.yaml b/config/crd/patches/cainjection_in_coreproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: coreproviders.operator.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_infrastructureproviders.yaml b/config/crd/patches/cainjection_in_infrastructureproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: infrastructureproviders.operator.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_ipamproviders.yaml b/config/crd/patches/cainjection_in_ipamproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: ipamproviders.operator.cluster.x-k8s.io
diff --git a/config/crd/patches/cainjection_in_runtimeextensionproviders.yaml b/config/crd/patches/cainjection_in_runtimeextensionproviders.yaml
@@ -4,5 +4,5 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
   name: runtimeextensionproviders.operator.cluster.x-k8s.io
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -9,10 +9,12 @@ namespace: capi-operator-system
 namePrefix: capi-operator-
 
 # Labels to add to all resources and selectors.
-commonLabels:
-  clusterctl.cluster.x-k8s.io/core: "capi-operator"
+labels:
+- includeSelectors: true
+  pairs:
+    clusterctl.cluster.x-k8s.io/core: capi-operator
 
-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager
@@ -25,47 +27,109 @@ bases:
 #- ../prometheus
 - ../namespace
 
-patchesStrategicMerge:
-  # Provide customizable hook for make targets.
-- manager_image_patch.yaml
-- manager_pull_policy.yaml
+patches:
+# Provide customizable hook for make targets.
+- path: manager_image_patch.yaml
+- path: manager_pull_policy.yaml
+# Enable webhook.
+- path: manager_webhook_patch.yaml
+# Inject certificate in the webhook definition.
+- path: webhookcainjection_patch.yaml
 
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-- manager_webhook_patch.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-- webhookcainjection_patch.yaml
-
-configurations:
-  - kustomizeconfig.yaml
-vars:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-  objref:
+replacements:
+- source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
     kind: Certificate
     group: cert-manager.io
     version: v1
     name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
-- name: CERTIFICATE_NAME
-  objref:
+    fieldPath: .metadata.namespace # namespace of the certificate CR
+  targets:
+    - select:
+        kind: ValidatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+    - select:
+        kind: MutatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+    - select:
+        kind: CustomResourceDefinition
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 0
+        create: true
+- source:
     kind: Certificate
     group: cert-manager.io
     version: v1
     name: serving-cert # this name should match the one in certificate.yaml
-- name: SERVICE_NAMESPACE # namespace of the service
-  objref:
+    fieldPath: .metadata.name
+  targets:
+    - select:
+        kind: ValidatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+    - select:
+        kind: MutatingWebhookConfiguration
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+    - select:
+        kind: CustomResourceDefinition
+      fieldPaths:
+        - .metadata.annotations.[cert-manager.io/inject-ca-from]
+      options:
+        delimiter: '/'
+        index: 1
+        create: true
+- source: # Add cert-manager annotation to the webhook Service
     kind: Service
     version: v1
     name: webhook-service
-  fieldref:
-    fieldpath: metadata.namespace
-- name: SERVICE_NAME
-  objref:
+    fieldPath: .metadata.name # namespace of the service
+  targets:
+    - select:
+        kind: Certificate
+        group: cert-manager.io
+        version: v1
+      fieldPaths:
+        - .spec.dnsNames.0
+        - .spec.dnsNames.1
+      options:
+        delimiter: '.'
+        index: 0
+        create: true
+- source:
     kind: Service
     version: v1
     name: webhook-service
+    fieldPath: .metadata.namespace # namespace of the service
+  targets:
+    - select:
+        kind: Certificate
+        group: cert-manager.io
+        version: v1
+      fieldPaths:
+        - .spec.dnsNames.0
+        - .spec.dnsNames.1
+      options:
+        delimiter: '.'
+        index: 1
+        create: true
diff --git a/config/default/kustomizeconfig.yaml b/config/default/kustomizeconfig.yaml
diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml
@@ -20,4 +20,4 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: $(SERVICE_NAME)-cert
+          secretName: capi-operator-webhook-service-cert
diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml
@@ -5,11 +5,11 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml
@@ -20,6 +20,3 @@ namespace:
   group: admissionregistration.k8s.io
   path: webhooks/clientConfig/service/namespace
   create: true
-
-varReference:
-- path: metadata/annotations
diff --git a/go.mod b/go.mod
@@ -2,7 +2,7 @@ module sigs.k8s.io/cluster-api-operator
 
 go 1.22.0
 
-toolchain go1.22.5
+toolchain go1.22.11
 
 require (
 	github.com/MakeNowJust/heredoc v1.0.0

diff --git a/hack/chart-update/go.mod b/hack/chart-update/go.mod
@@ -2,7 +2,7 @@ module sigs.k8s.io/cluster-api-operator/hack/chart-update
 
 go 1.22.0
 
-toolchain go1.22.5
+toolchain go1.22.11
 
 require (
 	github.com/google/go-github/v50 v50.2.0

diff --git a/hack/tools/go.mod b/hack/tools/go.mod
@@ -2,7 +2,7 @@ module sigs.k8s.io/cluster-api-operator/hack/tools
 
 go 1.22.0
 
-toolchain go1.22.5
+toolchain go1.22.11
 
 replace (
 	sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.9.4

diff --git a/netlify.toml b/netlify.toml
@@ -4,7 +4,7 @@
     publish = "docs/book/book"
 
 [build.environment]
-    GO_VERSION = "1.22.5"
+    GO_VERSION = "1.22.11"
 
 # Standard Netlify redirects
 [[redirects]]

diff --git a/test/go.mod b/test/go.mod
@@ -2,7 +2,7 @@ module sigs.k8s.io/cluster-api-operator/test
 
 go 1.22.0
 
-toolchain go1.22.5
+toolchain go1.22.11
 
 replace sigs.k8s.io/cluster-api-operator => ../