Merge branch 'main' into coffeecup/regexpFix2

.github/workflows/check-actions.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@3c16e895bb662b4d7e284f032cbe8835a57773cc # v3.0.11
         with:
           # slsa-github-generator requires using a semver tag for reusable workflows. 
           # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators

.github/workflows/check-commit.yml

@@ -18,6 +18,6 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@a2bc521d745b1ba127ee2f8b02d6afaa4eed035c #v6.1.1
+      - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 #v6.1.2
         with:
           firstParent: true

.github/workflows/e2e.yml

@@ -37,7 +37,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s-version: [ 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0']
+        k8s-version: [ 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0', 'v1.30.0', 'v1.31.0' ]
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

.github/workflows/scorecard.yml

@@ -31,7 +31,7 @@ jobs:
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
       - name: Upload artifact
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif

Makefile

@@ -194,7 +194,7 @@ ko-publish-all: ko-publish-capsule
 ####################
 
 CONTROLLER_GEN         := $(shell pwd)/bin/controller-gen
-CONTROLLER_GEN_VERSION := v0.15.0
+CONTROLLER_GEN_VERSION := v0.16.1
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 

charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: capsuleconfigurations.capsule.clastix.io
 spec:
   group: capsule.clastix.io

charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: globaltenantresources.capsule.clastix.io
 spec:
   group: capsule.clastix.io

charts/capsule/crds/capsule.clastix.io_tenantresources.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tenantresources.capsule.clastix.io
 spec:
   group: capsule.clastix.io

charts/capsule/crds/capsule.clastix.io_tenants.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.15.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tenants.capsule.clastix.io
 spec:
   group: capsule.clastix.io
@@ -165,16 +165,12 @@ spec:
                     description: |-
                       Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
 
-
                       - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
 
-
                       - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
 
-
                       - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
 
-
                       Optional.
                     enum:
                     - Cluster
@@ -351,7 +347,6 @@ spec:
                                         If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
-                                      default: TCP
                                       description: |-
                                         protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
                                         If not specified, this field defaults to TCP.
@@ -398,7 +393,6 @@ spec:
                                         namespaceSelector selects namespaces using cluster-scoped labels. This field follows
                                         standard label selector semantics; if present but empty, it selects all namespaces.
 
-
                                         If podSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the namespaces selected by namespaceSelector.
                                         Otherwise it selects all pods in the namespaces selected by namespaceSelector.
@@ -452,7 +446,6 @@ spec:
                                         podSelector is a label selector which selects pods. This field follows standard label
                                         selector semantics; if present but empty, it selects all pods.
 
-
                                         If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the Namespaces selected by NamespaceSelector.
                                         Otherwise it selects the pods matching podSelector in the policy's own namespace.
@@ -560,7 +553,6 @@ spec:
                                         namespaceSelector selects namespaces using cluster-scoped labels. This field follows
                                         standard label selector semantics; if present but empty, it selects all namespaces.
 
-
                                         If podSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the namespaces selected by namespaceSelector.
                                         Otherwise it selects all pods in the namespaces selected by namespaceSelector.
@@ -614,7 +606,6 @@ spec:
                                         podSelector is a label selector which selects pods. This field follows standard label
                                         selector semantics; if present but empty, it selects all pods.
 
-
                                         If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the Namespaces selected by NamespaceSelector.
                                         Otherwise it selects the pods matching podSelector in the policy's own namespace.
@@ -696,7 +687,6 @@ spec:
                                         If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
-                                      default: TCP
                                       description: |-
                                         protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
                                         If not specified, this field defaults to TCP.
@@ -1254,16 +1244,12 @@ spec:
                     description: |-
                       Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
 
-
                       - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
 
-
                       - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
 
-
                       - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
 
-
                       Optional.
                     enum:
                     - Cluster
@@ -1462,7 +1448,6 @@ spec:
                                         If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
-                                      default: TCP
                                       description: |-
                                         protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
                                         If not specified, this field defaults to TCP.
@@ -1509,7 +1494,6 @@ spec:
                                         namespaceSelector selects namespaces using cluster-scoped labels. This field follows
                                         standard label selector semantics; if present but empty, it selects all namespaces.
 
-
                                         If podSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the namespaces selected by namespaceSelector.
                                         Otherwise it selects all pods in the namespaces selected by namespaceSelector.
@@ -1563,7 +1547,6 @@ spec:
                                         podSelector is a label selector which selects pods. This field follows standard label
                                         selector semantics; if present but empty, it selects all pods.
 
-
                                         If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the Namespaces selected by NamespaceSelector.
                                         Otherwise it selects the pods matching podSelector in the policy's own namespace.
@@ -1671,7 +1654,6 @@ spec:
                                         namespaceSelector selects namespaces using cluster-scoped labels. This field follows
                                         standard label selector semantics; if present but empty, it selects all namespaces.
 
-
                                         If podSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the namespaces selected by namespaceSelector.
                                         Otherwise it selects all pods in the namespaces selected by namespaceSelector.
@@ -1725,7 +1707,6 @@ spec:
                                         podSelector is a label selector which selects pods. This field follows standard label
                                         selector semantics; if present but empty, it selects all pods.
 
-
                                         If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
                                         the pods matching podSelector in the Namespaces selected by NamespaceSelector.
                                         Otherwise it selects the pods matching podSelector in the policy's own namespace.
@@ -1807,7 +1788,6 @@ spec:
                                         If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
-                                      default: TCP
                                       description: |-
                                         protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
                                         If not specified, this field defaults to TCP.

controllers/rbac/manager.go

@@ -45,15 +45,14 @@ func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, config
 	crbErr := ctrl.NewControllerManagedBy(mgr).
 		For(&rbacv1.ClusterRoleBinding{}, namesPredicate).
 		Watches(&capsulev1beta2.CapsuleConfiguration{}, handler.Funcs{
-			UpdateFunc: func(ctx context.Context, updateEvent event.UpdateEvent, limitingInterface workqueue.RateLimitingInterface) {
+			UpdateFunc: func(ctx context.Context, updateEvent event.TypedUpdateEvent[client.Object], limitingInterface workqueue.TypedRateLimitingInterface[reconcile.Request]) {
 				if updateEvent.ObjectNew.GetName() == configurationName {
 					if crbErr := r.EnsureClusterRoleBindings(ctx); crbErr != nil {
 						r.Log.Error(err, "cannot update ClusterRoleBinding upon CapsuleConfiguration update")
 					}
 				}
 			},
-		}).
-		Complete(r)
+		}).Complete(r)
 
 	if crbErr != nil {
 		err = errors.Join(err, crbErr)

go.mod

@@ -4,33 +4,34 @@ go 1.22.5
 
 require (
 	github.com/go-logr/logr v1.4.2
-	github.com/onsi/ginkgo/v2 v2.20.0
-	github.com/onsi/gomega v1.34.1
+	github.com/onsi/ginkgo/v2 v2.20.2
+	github.com/onsi/gomega v1.34.2
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.20.1
+	github.com/prometheus/client_golang v1.20.3
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	github.com/valyala/fasttemplate v1.2.2
 	go.uber.org/automaxprocs v1.5.3
 	go.uber.org/zap v1.27.0
 	golang.org/x/sync v0.8.0
-	k8s.io/api v0.30.3
-	k8s.io/apiextensions-apiserver v0.30.2
-	k8s.io/apimachinery v0.30.3
-	k8s.io/client-go v0.30.3
-	k8s.io/utils v0.0.0-20240423183400-0849a56e8f22
-	sigs.k8s.io/cluster-api v1.7.4
-	sigs.k8s.io/controller-runtime v0.18.4
+	k8s.io/api v0.31.0
+	k8s.io/apiextensions-apiserver v0.31.0
+	k8s.io/apimachinery v0.31.0
+	k8s.io/client-go v0.31.0
+	k8s.io/utils v0.0.0-20240821151609-f90d01438635
+	sigs.k8s.io/cluster-api v1.8.2
+	sigs.k8s.io/controller-runtime v0.19.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
@@ -43,7 +44,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
+	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -53,27 +54,28 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 // indirect
 	golang.org/x/net v0.28.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sys v0.23.0 // indirect
+	golang.org/x/oauth2 v0.22.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
 	golang.org/x/term v0.23.0 // indirect
 	golang.org/x/text v0.17.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240822171749-76de80e0abd9 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect