kubernetes-sigs
diff --git a/‎.github/workflows/lint-sample.yml
+4-1 b/‎.github/workflows/lint-sample.yml
+4-1
diff --git a/‎.github/workflows/test-e2e-samples.yml
+11-8 b/‎.github/workflows/test-e2e-samples.yml
+11-8
diff --git a/‎Makefile
+6-6 b/‎Makefile
+6-6
diff --git a/‎RELEASE.md
+2-2 b/‎RELEASE.md
+2-2
diff --git a/‎build/.goreleaser.yml
+7-8 b/‎build/.goreleaser.yml
+7-8
diff --git a/‎cmd/main.go renamed to ‎cmd/cmd.go
+3-2 b/‎cmd/main.go renamed to ‎cmd/cmd.go
+3-2
diff --git a/‎cmd/version.go
+14-5 b/‎cmd/version.go
+14-5
diff --git a/‎docs/book/install-and-build.sh
+1-1 b/‎docs/book/install-and-build.sh
+1-1
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/finalizer_example.go
+2-2 b/‎docs/book/src/cronjob-tutorial/testdata/finalizer_example.go
+2-2
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/Makefile
+2-3 b/‎docs/book/src/cronjob-tutorial/testdata/project/Makefile
+2-3
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go
+2-2 b/‎docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go
+2-2
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/config/crd/bases/batch.tutorial.kubebuilder.io_cronjobs.yaml
+1-1 b/‎docs/book/src/cronjob-tutorial/testdata/project/config/crd/bases/batch.tutorial.kubebuilder.io_cronjobs.yaml
+1-1
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml
+22 b/‎docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml
+22
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml
+17-20 b/‎docs/book/src/cronjob-tutorial/testdata/project/config/prometheus/monitor_tls_patch.yaml
+17-20
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/crd/batch.tutorial.kubebuilder.io_cronjobs.yaml
+1-1 b/‎docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/crd/batch.tutorial.kubebuilder.io_cronjobs.yaml
+1-1
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml
+1 b/‎docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/monitor.yaml
+1
diff --git a/‎docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml
+7-2 b/‎docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml
+7-2
@@ -16,7 +16,10 @@ jobs:
         folder: [
           "testdata/project-v4",
           "testdata/project-v4-with-plugins",
-          "testdata/project-v4-multigroup"
+          "testdata/project-v4-multigroup",
+          "docs/book/src/cronjob-tutorial/testdata/project",
+          "docs/book/src/getting-started/testdata/project",
+          "docs/book/src/multiversion-tutorial/testdata/project"
         ]
     if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository)
     steps:
 
@@ -43,8 +43,8 @@ jobs:
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           sed -i '47,49s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment all cert-manager injections
-          sed -i '59,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4/
           go mod tidy
 
@@ -86,10 +86,12 @@ jobs:
           # Uncomment only ValidatingWebhookConfiguration
           # from cert-manager replaces; we are leaving defaulting uncommented
           # since this sample has no defaulting webhooks
-          sed -i '59,164s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '120,186s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment only --conversion webhooks CA injection
-          sed -i '197,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '219,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-with-plugins/
           go mod tidy
 
@@ -129,9 +131,10 @@ jobs:
           KUSTOMIZATION_FILE_PATH="testdata/project-v4-multigroup/config/default/kustomization.yaml"
           sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH
           # Uncomment all cert-manager injections for webhooks only
-          sed -i '59,59s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '98,212s/^#//' $KUSTOMIZATION_FILE_PATH
-          sed -i '214,229s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '59,77s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '90,107s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '120,234s/^#//' $KUSTOMIZATION_FILE_PATH
+          sed -i '236,251s/^#//' $KUSTOMIZATION_FILE_PATH
           cd testdata/project-v4-multigroup
           go mod tidy
 
 
@@ -46,15 +46,15 @@ help: ## Display this help
 ##@ Build
 
 LD_FLAGS=-ldflags " \
-    -X main.kubeBuilderVersion=$(shell git describe --tags --dirty --broken) \
-    -X main.goos=$(shell go env GOOS) \
-    -X main.goarch=$(shell go env GOARCH) \
-    -X main.gitCommit=$(shell git rev-parse HEAD) \
-    -X main.buildDate=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') \
+    -X cmd.kubeBuilderVersion=$(shell git describe --tags --dirty --broken) \
+    -X cmd.goos=$(shell go env GOOS) \
+    -X cmd.goarch=$(shell go env GOARCH) \
+    -X cmd.gitCommit=$(shell git rev-parse HEAD) \
+    -X cmd.buildDate=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') \
     "
 .PHONY: build
 build: ## Build the project locally
-	go build $(LD_FLAGS) -o bin/kubebuilder ./cmd
+	go build $(LD_FLAGS) -o bin/kubebuilder
 
 .PHONY: install
 install: build ## Build and install the binary with the current source code. Use it to test your changes locally.
 
@@ -68,7 +68,7 @@ The releases occur in an account in the Google Cloud (See [here](https://console
 ### To build the Kubebuilder CLI binaries:
 
 A trigger GitHub action [release](.github/workflows/release.yml) is trigged when a new tag is pushed.
-This action will caall the job [./build/.goreleaser.yml](./build/.goreleaser.yml).
+This action will call the job [./build/.goreleaser.yml](./build/.goreleaser.yml).
 
 ###  (Deprecated) - To build the Kubebuilder-tools: (Artifacts required to use ENV TEST)
 
@@ -93,7 +93,7 @@ see: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
 These images are built from the project [brancz/kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy).
 The projects built with Kubebuilder creates a side container with `kube-rbac-proxy` to protect the Manager.
 
-These images are can be checked in the consolse, see [here](https://console.cloud.google.com/gcr/images/kubebuilder/GLOBAL/kube-rbac-proxy).
+These images can be checked in the console, see [here](https://console.cloud.google.com/gcr/images/kubebuilder/GLOBAL/kube-rbac-proxy).
 
 The project `kube-rbac-proxy` is in the process to be donated to the k8s org. However, it is going on for a long time and then,
 we have no ETA for that to occur. When that occurs we can automate this process. But until there we need to generate these images
 
@@ -29,16 +29,15 @@ before:
 # Build a binary for each target in targets.
 builds:
   - id: kubebuilder
-    main: ./cmd
     binary: kubebuilder
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - -X main.kubeBuilderVersion={{ .Version }}
-      - -X main.goos={{ .Os }}
-      - -X main.goarch={{ .Arch }}
-      - -X main.gitCommit={{ .Commit }}
-      - -X main.buildDate={{ .Date }}
-      - -X main.kubernetesVendorVersion={{ .Env.KUBERNETES_VERSION }}
+      - -X cmd.kubeBuilderVersion={{ .Version }}
+      - -X cmd.goos={{ .Os }}
+      - -X cmd.goarch={{ .Arch }}
+      - -X cmd.gitCommit={{ .Commit }}
+      - -X cmd.buildDate={{ .Date }}
+      - -X cmd.kubernetesVendorVersion={{ .Env.KUBERNETES_VERSION }}
     targets:
       - linux_amd64
       - linux_arm64
@@ -47,7 +46,7 @@ builds:
       - darwin_amd64
       - darwin_arm64
     env:
-      - KUBERNETES_VERSION=1.31.0
+      - KUBERNETES_VERSION=1.32.1
       - CGO_ENABLED=0
 
 # Only binaries of the form "kubebuilder_${goos}_${goarch}" will be released.
 
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package main
+package cmd
 
 import (
 	"github.com/sirupsen/logrus"
@@ -36,7 +36,8 @@ func init() {
 	logrus.SetFormatter(&logrus.TextFormatter{DisableTimestamp: true})
 }
 
-func main() {
+// Run bootstraps & runs the CLI
+func Run() {
 	// Bundle plugin which built the golang projects scaffold with base.go/v4 and kustomize/v2 plugins
 	gov4Bundle, _ := plugin.NewBundleWithOptions(plugin.WithName(golang.DefaultNameQualifier),
 		plugin.WithVersion(plugin.Version{Number: 4}),
 
@@ -14,19 +14,22 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package main
+package cmd
 
 import (
 	"fmt"
+	"runtime/debug"
 )
 
+const unknown = "unknown"
+
 // var needs to be used instead of const as ldflags is used to fill this
 // information in the release process
 var (
-	kubeBuilderVersion      = "unknown"
-	kubernetesVendorVersion = "unknown"
-	goos                    = "unknown"
-	goarch                  = "unknown"
+	kubeBuilderVersion      = unknown
+	kubernetesVendorVersion = unknown
+	goos                    = unknown
+	goarch                  = unknown
 	gitCommit               = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)
 
 	buildDate = "1970-01-01T00:00:00Z" // build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ')
@@ -44,6 +47,12 @@ type version struct {
 
 // versionString returns the CLI version
 func versionString() string {
+	if kubeBuilderVersion == unknown {
+		if info, ok := debug.ReadBuildInfo(); ok && info.Main.Version != "" {
+			kubeBuilderVersion = info.Main.Version
+		}
+	}
+
 	return fmt.Sprintf("Version: %#v", version{
 		kubeBuilderVersion,
 		kubernetesVendorVersion,
 
@@ -71,7 +71,7 @@ chmod +x /tmp/mdbook
 
 echo "grabbing the latest released controller-gen"
 go version
-go install sigs.k8s.io/controller-tools/cmd/[email protected].0
+go install sigs.k8s.io/controller-tools/cmd/[email protected].2
 
 # make sure we add the go bin directory to our path
 gobin=$(go env GOBIN)
 
@@ -64,7 +64,7 @@ func (r *CronJobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	// examine DeletionTimestamp to determine if object is under deletion
 	if cronJob.ObjectMeta.DeletionTimestamp.IsZero() {
 		// The object is not being deleted, so if it does not have our finalizer,
-		// then lets add the finalizer and update the object. This is equivalent
+		// then let's add the finalizer and update the object. This is equivalent
 		// to registering our finalizer.
 		if !controllerutil.ContainsFinalizer(cronJob, myFinalizerName) {
 			controllerutil.AddFinalizer(cronJob, myFinalizerName)
@@ -75,7 +75,7 @@ func (r *CronJobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	} else {
 		// The object is being deleted
 		if controllerutil.ContainsFinalizer(cronJob, myFinalizerName) {
-			// our finalizer is present, so lets handle any external dependency
+			// our finalizer is present, so let's handle any external dependency
 			if err := r.deleteExternalResources(cronJob); err != nil {
 				// if fail to delete the external dependency here, return with error
 				// so that it can be retried.
 
@@ -67,8 +67,7 @@ test: manifests generate fmt vet setup-envtest ## Run tests.
 
 # TODO(user): To use a different vendor for e2e tests, modify the setup under 'tests/e2e'.
 # The default setup assumes Kind is pre-installed and builds/loads the Manager Docker image locally.
-# Prometheus and CertManager are installed by default; skip with:
-# - PROMETHEUS_INSTALL_SKIP=true
+# CertManager is installed by default; skip with:
 # - CERT_MANAGER_INSTALL_SKIP=true
 .PHONY: test-e2e
 test-e2e: manifests generate fmt vet ## Run the e2e tests. Expected an isolated environment using Kind.
@@ -177,7 +176,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.5.0
-CONTROLLER_TOOLS_VERSION ?= v0.17.1
+CONTROLLER_TOOLS_VERSION ?= v0.17.2
 #ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20)
 ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
 #ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31)
 
@@ -155,7 +155,7 @@ func main() {
 
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
-	// - https://pkg.go.dev/sigs.k8s.io/[email protected].0/pkg/metrics/server
+	// - https://pkg.go.dev/sigs.k8s.io/[email protected].2/pkg/metrics/server
 	// - https://book.kubebuilder.io/reference/metrics.html
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:   metricsAddr,
@@ -167,7 +167,7 @@ func main() {
 		// FilterProvider is used to protect the metrics endpoint with authn/authz.
 		// These configurations ensure that only authorized users and service accounts
 		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-		// https://pkg.go.dev/sigs.k8s.io/[email protected].0/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		// https://pkg.go.dev/sigs.k8s.io/[email protected].2/pkg/metrics/filters#WithAuthenticationAndAuthorization
 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
 	}
 
 
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: cronjobs.batch.tutorial.kubebuilder.io
 spec:
   group: batch.tutorial.kubebuilder.io
 
@@ -75,6 +75,17 @@ replacements:
          delimiter: '.'
          index: 0
          create: true
+     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
 
  - source:
      kind: Service
@@ -94,6 +105,17 @@ replacements:
          delimiter: '.'
          index: 1
          create: true
+     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+         kind: ServiceMonitor
+         group: monitoring.coreos.com
+         version: v1
+         name: controller-manager-metrics-monitor
+       fieldPaths:
+         - spec.endpoints.0.tlsConfig.serverName
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
 
  - source: # Uncomment the following block if you have any webhook
      kind: Service
 
@@ -1,22 +1,19 @@
 # Patch for Prometheus ServiceMonitor to enable secure TLS configuration
 # using certificates managed by cert-manager
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: controller-manager-metrics-monitor
-  namespace: system
-spec:
-  endpoints:
-    - tlsConfig:
-        insecureSkipVerify: false
-        ca:
-          secret:
-            name: metrics-server-cert
-            key: ca.crt
-        cert:
-          secret:
-            name: metrics-server-cert
-            key: tls.crt
-        keySecret:
-          name: metrics-server-cert
-          key: tls.key
+- op: replace
+  path: /spec/endpoints/0/tlsConfig
+  value:
+    # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+    serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+    insecureSkipVerify: false
+    ca:
+      secret:
+        name: metrics-server-cert
+        key: ca.crt
+    cert:
+      secret:
+        name: metrics-server-cert
+        key: tls.crt
+    keySecret:
+      name: metrics-server-cert
+      key: tls.key
@@ -9,7 +9,7 @@ metadata:
     {{- if .Values.crd.keep }}
     "helm.sh/resource-policy": keep
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: cronjobs.batch.tutorial.kubebuilder.io
 spec:
   group: batch.tutorial.kubebuilder.io
 
@@ -15,6 +15,7 @@ spec:
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
         {{- if .Values.certmanager.enable }}
+        serverName: project-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
         # Apply secure TLS configuration with cert-manager
         insecureSkipVerify: false
         ca:
 
@@ -11,7 +11,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: cronjobs.batch.tutorial.kubebuilder.io
 spec:
   group: batch.tutorial.kubebuilder.io
@@ -4276,7 +4276,11 @@ metadata:
   namespace: project-system
 spec:
   endpoints:
-  - tlsConfig:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    path: /metrics
+    port: https
+    scheme: https
+    tlsConfig:
       ca:
         secret:
           key: ca.crt
@@ -4289,6 +4293,7 @@ spec:
       keySecret:
         key: tls.key
         name: metrics-server-cert
+      serverName: project-controller-manager-metrics-service.project-system.svc
   selector:
     matchLabels:
       app.kubernetes.io/name: project