CI-1658: Upgrade controller-runtime to v0.10.3

Upgrades controller-runtime from v0.9.6 to v0.10.3.

controller-runtime v0.10.0 now uses the k8s 1.22.x API, this means that
many deprecated APIs have now been removed.
https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22

Removed v1beta1 versions of the `scheduling` and `admissionregistration`
API from integrations tests, and I have also updated the base manifests
to remove these versions too.

Updated the kind node image to 1.22.2 to match our k8s API
version for acceptance tests.

Updated our CI unit and integration tests to use the `setup-envtest`
helper utility which configures k8s versions for the controller-runtime
envtest pkg to use for testing. Set the envtest k8 version to 1.22.2.
See these urls for more information:
https://book.kubebuilder.io/reference/envtest.html#configuring-envtest-for-integration-tests
https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest#envtest-binaries-manager

Documented how to use setup-envtest for local unit and integration
testing.
Using setup-envtest for local tests also gets rid of this issue:
https://book.kubebuilder.io/reference/envtest.html#kubernetes-120-and-121-binary-issues
which was present in the binaries packaged with kubebuilder v2.3.1.

Bump controller-gen to [v0.7.0](https://github.com/kubernetes-sigs/controller-tools/releases/tag/v0.7.0)
as controller-tools k8s dependencies are bumped to 1.22.1, removes support for deprecated v1beta1 CRDs and
webhooks.

.circleci/config.yml

@@ -44,14 +44,14 @@ jobs:
           name: Install ginkgo test runner
           command: go install github.com/onsi/ginkgo/ginkgo@v1.16.5
       - run:
-          name: Install Kubebuilder test helpers
+          name: Install envtest binaries for k8s 1.22.x
           command: |
-            mkdir /usr/local/kubebuilder
-            curl -fsL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz \
-              | tar -xvz --strip=1 -C /usr/local/kubebuilder
+            go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+            setup-envtest use -p path 1.22.x
       - run:
           name: Run tests
           command: |
+            source <(setup-envtest use -i -p env 1.22.x)
             ginkgo -race -randomizeSuites -randomizeAllSpecs -r -v ./...
 
 

Makefile

@@ -30,6 +30,9 @@ bin/%:
 	CGO_ENABLED=0 GOARCH=amd64 $(BUILD_COMMAND) -o $@ ./cmd/$*/.
 
 # go install github.com/onsi/ginkgo/ginkgo@v1.16.5
+# go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+# setup-envtest use -p path 1.22.x
+# source <(setup-envtest use -i -p env 1.22.x)
 test:
 	ginkgo -race -r ./...
 
@@ -78,7 +81,7 @@ ifeq (, $(shell which controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0 ;\
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.7.0 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 CONTROLLER_GEN=$(GOBIN)/controller-gen

README.md

@@ -129,6 +129,18 @@ Theatre has test suites at several different levels, each of which play a
 specific role. All of these suites are written using the [Ginkgo][ginkgo]
 framework.
 
+In order to setup your local testing environment for unit and integration tests do the following:
+
+```bash
+$ # install setup-envtest which configures etcd and kube-apiserver binaries for envtest
+$ # https://book.kubebuilder.io/reference/envtest.html#configuring-envtest-for-integration-tests
+$ # https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest#envtest-binaries-manager
+$ go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+$ # configure envtest to use k8s 1.22.x binaries
+$ setup-envtest use -p path 1.22.x
+$ source <(setup-envtest use -i -p env 1.22.x)
+```
+
 - **Unit**: Standard unit tests, used to exhaustively specify the functionality of
   functions or objects.
 

apis/workloads/v1alpha1/integration/priority_integration_test.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/google/uuid"
 	corev1 "k8s.io/api/core/v1"
-	scheduling_v1beta1 "k8s.io/api/scheduling/v1beta1"
+	scheduling_v1 "k8s.io/api/scheduling/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -21,7 +21,7 @@ var _ = Describe("PriorityInjector", func() {
 		cancel          func()
 		namespace       string
 		labelValue      string
-		priorityClasses []*scheduling_v1beta1.PriorityClass
+		priorityClasses []*scheduling_v1.PriorityClass
 
 		c client.Client
 	)
@@ -44,7 +44,7 @@ var _ = Describe("PriorityInjector", func() {
 		By("Creating test namespace: " + namespace)
 		Expect(c.Create(ctx, ns)).To(Succeed())
 
-		priorityClasses = []*scheduling_v1beta1.PriorityClass{
+		priorityClasses = []*scheduling_v1.PriorityClass{
 			{
 				ObjectMeta:    metav1.ObjectMeta{Name: "default"},
 				GlobalDefault: true,

cmd/acceptance/main.go

@@ -37,7 +37,7 @@ var (
 	prepareImage         = prepare.Flag("image", "Docker image tag used for exchanging test images").Default("theatre:latest").String()
 	prepareConfigFile    = prepare.Flag("config-file", "Path to Kind config file").Default("kind-e2e.yaml").ExistingFile()
 	prepareDockerfile    = prepare.Flag("dockerfile", "Path to acceptance dockerfile").Default("Dockerfile").ExistingFile()
-	prepareKindNodeImage = prepare.Flag("kind-node-image", "Kind Node Image").Default("kindest/node:v1.21.2").String()
+	prepareKindNodeImage = prepare.Flag("kind-node-image", "Kind Node Image").Default("kindest/node:v1.22.2").String()
 	prepareVerbose       = prepare.Flag("verbose", "Use a higher log level when creating the cluster").Short('v').Bool()
 
 	destroy = app.Command("destroy", "Destroys the test Kubernetes cluster and other resources")

cmd/workloads-manager/acceptance/acceptance.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	kitlog "github.com/go-kit/kit/log"
-	"k8s.io/api/admissionregistration/v1beta1"
+	v1 "k8s.io/api/admissionregistration/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -90,7 +90,7 @@ func (r *Runner) Run(logger kitlog.Logger, config *rest.Config) {
 
 			// Wait for MutatingWebhookConfig to be created
 			Eventually(func() bool {
-				mutatingWebhookConfig := &v1beta1.MutatingWebhookConfiguration{}
+				mutatingWebhookConfig := &v1.MutatingWebhookConfiguration{}
 				err := kubeClient.Get(context.TODO(), client.ObjectKey{Namespace: "theatre-system", Name: "theatre-workloads"}, mutatingWebhookConfig)
 				if err != nil {
 					logger.Log("error", err)

config/acceptance/setup/resources/cert-manager.yaml

@@ -44,14 +44,7 @@ spec:
     strategy: Webhook
     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
     webhook:
-      # We don't actually support `v1beta1` but is listed here as it is a
-      # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
-      # API server reads the supported versions in order, so _should always_
-      # attempt a `v1` request which is understood by the cert-manager webhook.
-      # Any `v1beta1` request will return an error and fail closed for that
-      # resource (the whole object request is rejected).
-      # When we no longer support v1.16 we can remove `v1beta1` from this list.
-      conversionReviewVersions: ["v1", "v1beta1"]
+      conversionReviewVersions: ["v1"]
       clientConfig:
         #
         service:
@@ -772,14 +765,7 @@ spec:
     strategy: Webhook
     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
     webhook:
-      # We don't actually support `v1beta1` but is listed here as it is a
-      # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
-      # API server reads the supported versions in order, so _should always_
-      # attempt a `v1` request which is understood by the cert-manager webhook.
-      # Any `v1beta1` request will return an error and fail closed for that
-      # resource (the whole object request is rejected).
-      # When we no longer support v1.16 we can remove `v1beta1` from this list.
-      conversionReviewVersions: ["v1", "v1beta1"]
+      conversionReviewVersions: ["v1"]
       clientConfig:
         #
         service:
@@ -2091,14 +2077,7 @@ spec:
     strategy: Webhook
     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
     webhook:
-      # We don't actually support `v1beta1` but is listed here as it is a
-      # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
-      # API server reads the supported versions in order, so _should always_
-      # attempt a `v1` request which is understood by the cert-manager webhook.
-      # Any `v1beta1` request will return an error and fail closed for that
-      # resource (the whole object request is rejected).
-      # When we no longer support v1.16 we can remove `v1beta1` from this list.
-      conversionReviewVersions: ["v1", "v1beta1"]
+      conversionReviewVersions: ["v1"]
       clientConfig:
         #
         service:
@@ -6022,14 +6001,7 @@ spec:
     strategy: Webhook
     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
     webhook:
-      # We don't actually support `v1beta1` but is listed here as it is a
-      # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
-      # API server reads the supported versions in order, so _should always_
-      # attempt a `v1` request which is understood by the cert-manager webhook.
-      # Any `v1beta1` request will return an error and fail closed for that
-      # resource (the whole object request is rejected).
-      # When we no longer support v1.16 we can remove `v1beta1` from this list.
-      conversionReviewVersions: ["v1", "v1beta1"]
+      conversionReviewVersions: ["v1"]
       clientConfig:
         #
         service:
@@ -10803,14 +10775,7 @@ spec:
     strategy: Webhook
     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
     webhook:
-      # We don't actually support `v1beta1` but is listed here as it is a
-      # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
-      # API server reads the supported versions in order, so _should always_
-      # attempt a `v1` request which is understood by the cert-manager webhook.
-      # Any `v1beta1` request will return an error and fail closed for that
-      # resource (the whole object request is rejected).
-      # When we no longer support v1.16 we can remove `v1beta1` from this list.
-      conversionReviewVersions: ["v1", "v1beta1"]
+      conversionReviewVersions: ["v1"]
       clientConfig:
         #
         service:
@@ -15585,14 +15550,7 @@ spec:
     strategy: Webhook
     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
     webhook:
-      # We don't actually support `v1beta1` but is listed here as it is a
-      # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
-      # API server reads the supported versions in order, so _should always_
-      # attempt a `v1` request which is understood by the cert-manager webhook.
-      # Any `v1beta1` request will return an error and fail closed for that
-      # resource (the whole object request is rejected).
-      # When we no longer support v1.16 we can remove `v1beta1` from this list.
-      conversionReviewVersions: ["v1", "v1beta1"]
+      conversionReviewVersions: ["v1"]
       clientConfig:
         #
         service:
@@ -17247,15 +17205,7 @@ webhooks:
           - UPDATE
         resources:
           - "*/*"
-    # We don't actually support `v1beta1` but is listed here as it is a
-    # required value for
-    # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
-    # The API server reads the supported versions in order, so _should always_
-    # attempt a `v1` request which is understood by the cert-manager webhook.
-    # Any `v1beta1` request will return an error and fail closed for that
-    # resource (the whole object request is rejected). When we no longer
-    # support v1.16 we can remove `v1beta1` from this list.
-    admissionReviewVersions: ["v1", "v1beta1"]
+    admissionReviewVersions: ["v1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
     # this webhook (after the resources have been converted to v1).
@@ -17306,15 +17256,7 @@ webhooks:
           - UPDATE
         resources:
           - "*/*"
-    # We don't actually support `v1beta1` but is listed here as it is a
-    # required value for
-    # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
-    # The API server reads the supported versions in order, so _should always_
-    # attempt a `v1` request which is understood by the cert-manager webhook.
-    # Any `v1beta1` request will return an error and fail closed for that
-    # resource (the whole object request is rejected). When we no longer
-    # support v1.16 we can remove `v1beta1` from this list.
-    admissionReviewVersions: ["v1", "v1beta1"]
+    admissionReviewVersions: ["v1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
     # this webhook (after the resources have been converted to v1).

config/base/crds/rbac.crd.gocardless.com_directoryrolebindings.yaml

@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: directoryrolebindings.rbac.crd.gocardless.com
 spec:
@@ -19,21 +19,27 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: DirectoryRoleBinding is the Schema for the directoryrolebindings API
+        description: DirectoryRoleBinding is the Schema for the directoryrolebindings
+          API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
             type: string
           metadata:
             type: object
           spec:
             description: DirectoryRoleBindingSpec defines the desired state of DirectoryRoleBinding
             properties:
               roleRef:
-                description: RoleRef contains information that points to the role being used
+                description: RoleRef contains information that points to the role
+                  being used
                 properties:
                   apiGroup:
                     description: APIGroup is the group for the resource being referenced
@@ -51,19 +57,29 @@ spec:
                 type: object
               subjects:
                 items:
-                  description: Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.
+                  description: Subject contains a reference to the object or user
+                    identities a role binding applies to.  This can either hold a
+                    direct API object reference, or a value for non-objects such as
+                    user and group names.
                   properties:
                     apiGroup:
-                      description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                      description: APIGroup holds the API group of the referenced
+                        subject. Defaults to "" for ServiceAccount subjects. Defaults
+                        to "rbac.authorization.k8s.io" for User and Group subjects.
                       type: string
                     kind:
-                      description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                      description: Kind of object being referenced. Values defined
+                        by this API group are "User", "Group", and "ServiceAccount".
+                        If the Authorizer does not recognized the kind value, the
+                        Authorizer should report an error.
                       type: string
                     name:
                       description: Name of the object being referenced.
                       type: string
                     namespace:
-                      description: Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
+                      description: Namespace of the referenced object.  If the object
+                        kind is non-namespace, such as "User" or "Group", and this
+                        value is not empty the Authorizer should report an error.
                       type: string
                   required:
                   - kind
@@ -75,7 +91,8 @@ spec:
             - subjects
             type: object
           status:
-            description: DirectoryRoleBindingStatus defines the observed state of DirectoryRoleBinding
+            description: DirectoryRoleBindingStatus defines the observed state of
+              DirectoryRoleBinding
             type: object
         type: object
     served: true