Merge branch 'main' into issue-10544

Author: serngawy

.github/ISSUE_TEMPLATE/kubernetes_bump.md

@@ -72,7 +72,8 @@ Prerequisites:
     * Set new default image for the [test framework](https://github.com/kubernetes-sigs/cluster-api/blob/0f47a19e038ee6b0d3b1e7675a62cdaf84face8c/test/framework/bootstrap/kind_provider.go#L40)
     * If code changes are required for CAPD to incorporate the new Kind version, update [kind latestMode](https://github.com/kubernetes-sigs/cluster-api/blob/0f47a19e038ee6b0d3b1e7675a62cdaf84face8c/test/infrastructure/kind/mapper.go#L66)
   * Verify the quickstart manually
-  * Prior art: TODO (previously #9160 and #10094)
+  * Prior art: #10610
+* [ ] Cherry-pick above PR to the latest release branch.
 
 ### Using new Kubernetes dependencies
 

.github/dependabot.yaml

@@ -7,33 +7,48 @@ updates:
   directory: "/"
   schedule:
       interval: "weekly"
+  groups:
+    all-github-actions:
+      patterns: [ "*" ]
   commit-message:
       prefix: ":seedling:"
   labels:
     - "area/ci"
     - "ok-to-test"
 
-# Main Go module
+# Go modules
 - package-ecosystem: "gomod"
-  directory: "/"
+  directories:
+  - "/"
+  - "/test"
+  - "/hack/tools"
   schedule:
     interval: "weekly"
     day: "monday"
   ## group all dependencies with a k8s.io prefix into a single PR.
   groups:
-    kubernetes:
-      patterns: [ "k8s.io/*" ]
+    all-go-mod-patch-and-minor:
+      patterns: [ "*" ]
+      update-types: [ "patch", "minor" ]
   ignore:
   # Ignore controller-runtime as its upgraded manually.
   - dependency-name: "sigs.k8s.io/controller-runtime"
     update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
     # Ignore k8s and its transitives modules as they are upgraded manually together with controller-runtime.
   - dependency-name: "k8s.io/*"
     update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+  - dependency-name: "github.com/prometheus/*"
+    update-types: [ "version-update:semver-major", "version-update:semver-minor"]
   - dependency-name: "go.etcd.io/*"
     update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   - dependency-name: "google.golang.org/grpc"
     update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+  # Note: We have to keep this 100% in sync with k8s.io, so we get exactly the behavior
+  # that the k8s.io CEL code expects.
+  - dependency-name: "github.com/google/cel-go"
+    # Ignore kind as its upgraded manually.
+  - dependency-name: "sigs.k8s.io/kind"
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
     # Bumping the kustomize API independently can break compatibility with client-go as they share k8s.io/kube-openapi as a dependency.
   - dependency-name: "sigs.k8s.io/kustomize/api"
     update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
@@ -42,63 +57,3 @@ updates:
   labels:
     - "area/dependency"
     - "ok-to-test"
-
-  # Test Go module
-- package-ecosystem: "gomod"
-  directory: "/test"
-  schedule:
-    interval: "weekly"
-    day: "tuesday"
-  ## group all dependencies with a k8s.io prefix into a single PR.
-  groups:
-    kubernetes:
-      patterns: [ "k8s.io/*" ]
-  ignore:
-    # Ignore controller-runtime as its upgraded manually.
-    - dependency-name: "sigs.k8s.io/controller-runtime"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    # Ignore k8s and its transitives modules as they are upgraded manually together with controller-runtime.
-    - dependency-name: "k8s.io/*"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    - dependency-name: "go.etcd.io/*"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    - dependency-name: "google.golang.org/grpc"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    # Bumping the kustomize API independently can break compatibility with client-go as they share k8s.io/kube-openapi as a dependency.
-    - dependency-name: "sigs.k8s.io/kustomize/api"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-  commit-message:
-    prefix: ":seedling:"
-  labels:
-    - "area/dependency"
-    - "ok-to-test"
-
-  # Hack/tools Go module
-- package-ecosystem: "gomod"
-  directory: "/hack/tools"
-  schedule:
-    interval: "weekly"
-    day: "wednesday"
-  ## group all dependencies with a k8s.io prefix into a single PR.
-  groups:
-    kubernetes:
-      patterns: [ "k8s.io/*" ]
-  ignore:
-    # Ignore controller-runtime as its upgraded manually.
-    - dependency-name: "sigs.k8s.io/controller-runtime"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    # Ignore k8s and its transitives modules as they are upgraded manually together with controller-runtime.
-    - dependency-name: "k8s.io/*"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    - dependency-name: "go.etcd.io/*"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    - dependency-name: "google.golang.org/grpc"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-    # Bumping the kustomize API independently can break compatibility with client-go as they share k8s.io/kube-openapi as a dependency.
-    - dependency-name: "sigs.k8s.io/kustomize/api"
-      update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
-  commit-message:
-    prefix: ":seedling:"
-  labels:
-    - "area/dependency"
-    - "ok-to-test"

.github/workflows/pr-dependabot.yaml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code into the Go module directory
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
     - name: Calculate go version
       id: vars
       run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # tag=v5.0.2
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
     - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # tag=v4.0.2

.github/workflows/pr-gh-workflow-approve.yaml

@@ -8,6 +8,8 @@ on:
       - reopened
       - synchronize
 
+permissions: {}
+
 jobs:
   approve:
     name: Approve ok-to-test

.github/workflows/pr-golangci-lint.yaml

@@ -19,17 +19,17 @@ jobs:
           - test
           - hack/tools
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
       - name: Calculate go version
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # tag=v5.0.2
         with:
           go-version: ${{ steps.vars.outputs.go_version }}
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # tag=v5.1.0
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # tag=v6.0.1
         with:
-          version: v1.57.2
+          version: v1.59.0
           args: --out-format=colored-line-number
           working-directory: ${{matrix.working-directory}}

.github/workflows/pr-md-link-check.yaml

@@ -14,7 +14,7 @@ jobs:
     name: Broken Links
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
     - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
       with:
         use-quiet-mode: 'yes'

.github/workflows/release.yaml

@@ -17,12 +17,12 @@ jobs:
       release_tag: ${{ steps.release-version.outputs.release_version }}
     steps:
       - name: Checkout code 
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
         with:
           fetch-depth: 0
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@0874344d6ebbaa00a27da73276ae7162fadcaf69 # tag=v44.3.0
+        uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # tag=v44.5.5
       - name: Get release version
         id: release-version
         run: |
@@ -87,14 +87,14 @@ jobs:
         env:
           RELEASE_TAG: ${{needs.push_release_tags.outputs.release_tag}}
       - name: checkout code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
         with:
           fetch-depth: 0
           ref: ${{ env.RELEASE_TAG }}
       - name: Calculate go version
         run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # tag=v5.0.2
         with:
           go-version: ${{ env.go_version }}
       - name: generate release artifacts
@@ -105,7 +105,7 @@ jobs:
           curl -L "https://raw.githubusercontent.com/${{ github.repository }}/main/CHANGELOG/${{ env.RELEASE_TAG }}.md" \
           -o "${{ env.RELEASE_TAG }}.md"
       - name: Release
-        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # tag=v2.0.4
+        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # tag=v2.0.6
         with:
           draft: true
           files: out/*

.github/workflows/weekly-md-link-check.yaml

@@ -17,7 +17,7 @@ jobs:
         branch: [ main, release-1.7, release-1.6 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
         with:
           ref: ${{ matrix.branch }}
       - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1

.github/workflows/weekly-security-scan.yaml

@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
       with:
         ref: ${{ matrix.branch }}
     - name: Calculate go version
       id: vars
       run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # tag=v5.0.2
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
     - name: Run verify security target

.github/workflows/weekly-test-release.yaml

@@ -20,7 +20,7 @@ jobs:
         branch: [ main, release-1.7, release-1.6 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
         with:
           ref: ${{ matrix.branch }}
           fetch-depth: 0
@@ -32,7 +32,7 @@ jobs:
       - name: Calculate go version
         run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # tag=v5.0.2
         with:
           go-version: ${{ env.go_version }}
       - name: Test release

.golangci.yml

@@ -19,12 +19,12 @@ linters:
   - bidichk
   - bodyclose
   - containedctx
+  - copyloopvar
   - dogsled
   - dupword
   - durationcheck
   - errcheck
   - errchkjson
-  - exportloopref
   - gci
   - ginkgolinter
   - goconst
@@ -38,6 +38,7 @@ linters:
   - govet
   - importas
   - ineffassign
+  - intrange
   - loggercheck
   - misspell
   - nakedret
@@ -51,6 +52,7 @@ linters:
   - rowserrcheck
   - staticcheck
   - stylecheck
+  - tenv
   - thelper
   - typecheck
   - unconvert
@@ -232,7 +234,15 @@ issues:
   # should be removed as the referenced deprecated item is removed from the project.
   - linters:
       - staticcheck
-    text: "SA1019: (bootstrapv1.ClusterStatus|KubeadmConfigSpec.UseExperimentalRetryJoin|scope.Config.Spec.UseExperimentalRetryJoin|DockerMachine.Spec.Bootstrapped|machineStatus.Bootstrapped|c.TopologyPlan) is deprecated"
+    text: "SA1019: (bootstrapv1.ClusterStatus|KubeadmConfigSpec.UseExperimentalRetryJoin|scope.Config.Spec.UseExperimentalRetryJoin|DockerMachine.Spec.Bootstrapped|machineStatus.Bootstrapped|c.TopologyPlan|clusterv1.ClusterClassVariableMetadata|(variable|currentDefinition|specVar|newVariableDefinition|statusVarDefinition).Metadata) is deprecated"
+  # Deprecations for MD revision management
+  - linters:
+      - staticcheck
+    text: "SA1019: (deployment|m|md)(.Spec.RevisionHistoryLimit)|clusterv1.RevisionHistoryAnnotation|c.RolloutUndo is deprecated"
+    # Deprecations for MHC MaxUnhealthy, UnhealthyRange
+  - linters:
+      - staticcheck
+    text: "SA1019: (mhc|m)(.Spec.MaxUnhealthy|.Spec.UnhealthyRange) is deprecated"
   # Specific exclude rules for deprecated packages that are still part of the codebase. These
   # should be removed as the referenced deprecated packages are removed from the project.
   - linters:
@@ -288,6 +298,12 @@ issues:
     - stylecheck
     path: util/defaulting/defaulting.go
     text: should not use dot imports
+  # Large parts of this file are duplicate from k/k. Let's ignore "emptyStringTest" to reduce the noise in diffs
+  # and to avoid making mistakes by diverging from upstream just because of this purely stylistic linter finding.
+  - linters:
+      - gocritic
+    text: "emptyStringTest"
+    path: internal/topology/variables/clusterclass_variable_validation.go
   # Append should be able to assign to a different var/slice.
   - linters:
     - gocritic

.markdownlinkcheck.json

@@ -1,6 +1,8 @@
 {
     "ignorePatterns": [{
         "pattern": "^http://localhost"
+    },{
+        "pattern": "https://azure.microsoft.com/en-us/products/kubernetes-service"
     }],
     "httpHeaders": [{
         "comment": "Workaround as suggested here: https://github.com/tcort/markdown-link-check/issues/201",

CHANGELOG/v1.6.5.md

@@ -0,0 +1,34 @@
+## 👌 Kubernetes version support
+
+- Management Cluster: v1.25.x -> v1.29.x
+- Workload Cluster: v1.23.x -> v1.29.x
+
+[More information about version support can be found here](https://cluster-api.sigs.k8s.io/reference/versions.html)
+
+## Changes since v1.6.4
+## :chart_with_upwards_trend: Overview
+- 6 new commits merged
+- 4 bugs fixed 🐛
+
+## :bug: Bug Fixes
+- CAPD: Verify lb config after writing it (#10462)
+- clusterctl: Ensure cert-manager objects get applied before other provider objects (#10504)
+- e2e: Kubetest: also gather junit reports in case of errors observed from ginkgo (#10495)
+- e2e: Test: Ensure ownerRef assertions for all Kinds are evaluated (#10593)
+
+## :seedling: Others
+- API: Allow users to specify webhook server cert and key names (#10582)
+- clusterctl: Bump cert-manager to 1.14.5 (#10518)
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+_Nothing has changed._
+
+### Removed
+_Nothing has changed._
+
+_Thanks to all our contributors!_ 😊