Bump k8s to v0.27.2 and sigs.k8s.io/controller-runtime v0.15.0 (#2333)

Bump k8s to v0.27.2 and sigs.k8s.io/controller-runtime v0.15.0 - github.com/onsi/ginkgo/v2 v2.9.2 => v2.9.5 - github.com/onsi/gomega v1.27.6 => v1.27.7 - github.com/openshift/library-go v0.0.0-20230411150541-a704a5774e20 => v0.0.0-20230516103935-9536341565eb - github.com/operator-framework/api v0.17.3 => v0.17.5 - github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.64.0 => v0.65.1 - github.com/prometheus/client_golang v1.15.0 => v1.15.1 - github.com/prometheus/client_model v0.3.0 => v0.4.0 - golang.org/x/tools v0.8.0 => v0.9.1 - k8s.io/* v0.26.4 => v0.27.2 - k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c => v0.0.0-20230515203736-54b630e78af5 - sigs.k8s.io/controller-runtime v0.14.6 => v0.15.0 - sigs.k8s.io/controller-tools v0.11.3 => v0.12.0 - github.com/openshift/machine-api-operator v0.2.1-0.20191025120018-fb3724fc7bdf => v0.2.1-0.20230329185430-d3973b45c2b6 - github.com/gorilla/websocket v1.4.2 => v1.5.0 Signed-off-by: stirabos <stirabos@redhat.com>
kubevirt · Jun 8, 2023 · 7ac82e8 · 7ac82e8
1 parent 88c781a
commit 7ac82e8
Show file tree

Hide file tree

Showing 723 changed files with 43,568 additions and 23,744 deletions.
diff --git a/cmd/hyperconverged-cluster-operator/main.go b/cmd/hyperconverged-cluster-operator/main.go
@@ -179,73 +179,72 @@ func main() {
 
 // Restricts the cache's ListWatch to specific fields/labels per GVK at the specified object to control the memory impact
 // this is used to completely overwrite the NewCache function so all the interesting objects should be explicitly listed here
-func getNewManagerCache(operatorNamespace string) cache.NewCacheFunc {
+func getCacheOption(operatorNamespace string) cache.Options {
 	namespaceSelector := fields.Set{"metadata.namespace": operatorNamespace}.AsSelector()
 	labelSelector := labels.Set{hcoutil.AppLabel: hcoutil.HyperConvergedName}.AsSelector()
 	labelSelectorForNamespace := labels.Set{hcoutil.KubernetesMetadataName: operatorNamespace}.AsSelector()
-	return cache.BuilderWithOptions(
-		cache.Options{
-			SelectorsByObject: cache.SelectorsByObject{
-				&hcov1beta1.HyperConverged{}:           {},
-				&kubevirtcorev1.KubeVirt{}:             {},
-				&cdiv1beta1.CDI{}:                      {},
-				&networkaddonsv1.NetworkAddonsConfig{}: {},
-				&sspv1beta1.SSP{}:                      {},
-				&ttov1alpha1.TektonTasks{}:             {},
-				&schedulingv1.PriorityClass{}: {
-					Label: labels.SelectorFromSet(labels.Set{hcoutil.AppLabel: hcoutil.HyperConvergedName}),
-				},
-				&corev1.ConfigMap{}: {
-					Label: labelSelector,
-				},
-				&corev1.Service{}: {
-					Field: namespaceSelector,
-				},
-				&corev1.Endpoints{}: {
-					Field: namespaceSelector,
-				},
-				&monitoringv1.ServiceMonitor{}: {
-					Label: labelSelector,
-					Field: namespaceSelector,
-				},
-				&monitoringv1.PrometheusRule{}: {
-					Label: labelSelector,
-					Field: namespaceSelector,
-				},
-				&rbacv1.Role{}: {
-					Label: labelSelector,
-					Field: namespaceSelector,
-				},
-				&rbacv1.RoleBinding{}: {
-					Label: labelSelector,
-					Field: namespaceSelector,
-				},
-				&openshiftroutev1.Route{}: {
-					Field: namespaceSelector,
-				},
-				&imagev1.ImageStream{}: {
-					Label: labelSelector,
-				},
-				&corev1.Namespace{}: {
-					Label: labelSelectorForNamespace,
-				},
-				&openshiftconfigv1.APIServer{}: {},
-				&consolev1.ConsoleCLIDownload{}: {
-					Label: labelSelector,
-				},
-				&consolev1.ConsoleQuickStart{}: {
-					Label: labelSelector,
-				},
-				&consolev1.ConsolePlugin{}: {
-					Label: labelSelector,
-				},
-				&appsv1.Deployment{}: {
-					Label: labelSelector,
-					Field: namespaceSelector,
-				},
+
+	return cache.Options{
+		ByObject: map[client.Object]cache.ByObject{
+			&hcov1beta1.HyperConverged{}:           {},
+			&kubevirtcorev1.KubeVirt{}:             {},
+			&cdiv1beta1.CDI{}:                      {},
+			&networkaddonsv1.NetworkAddonsConfig{}: {},
+			&sspv1beta1.SSP{}:                      {},
+			&ttov1alpha1.TektonTasks{}:             {},
+			&schedulingv1.PriorityClass{}: {
+				Label: labels.SelectorFromSet(labels.Set{hcoutil.AppLabel: hcoutil.HyperConvergedName}),
+			},
+			&corev1.ConfigMap{}: {
+				Label: labelSelector,
+			},
+			&corev1.Service{}: {
+				Field: namespaceSelector,
+			},
+			&corev1.Endpoints{}: {
+				Field: namespaceSelector,
+			},
+			&monitoringv1.ServiceMonitor{}: {
+				Label: labelSelector,
+				Field: namespaceSelector,
+			},
+			&monitoringv1.PrometheusRule{}: {
+				Label: labelSelector,
+				Field: namespaceSelector,
+			},
+			&rbacv1.Role{}: {
+				Label: labelSelector,
+				Field: namespaceSelector,
+			},
+			&rbacv1.RoleBinding{}: {
+				Label: labelSelector,
+				Field: namespaceSelector,
+			},
+			&openshiftroutev1.Route{}: {
+				Field: namespaceSelector,
+			},
+			&imagev1.ImageStream{}: {
+				Label: labelSelector,
+			},
+			&corev1.Namespace{}: {
+				Label: labelSelectorForNamespace,
+			},
+			&openshiftconfigv1.APIServer{}: {},
+			&consolev1.ConsoleCLIDownload{}: {
+				Label: labelSelector,
+			},
+			&consolev1.ConsoleQuickStart{}: {
+				Label: labelSelector,
+			},
+			&consolev1.ConsolePlugin{}: {
+				Label: labelSelector,
+			},
+			&appsv1.Deployment{}: {
+				Label: labelSelector,
+				Field: namespaceSelector,
 			},
 		},
-	)
+	}
 }
 
 func getManagerOptions(watchNamespace string, operatorNamespace string, needLeaderElection bool, scheme *apiruntime.Scheme) manager.Options {
@@ -258,7 +257,7 @@ func getManagerOptions(watchNamespace string, operatorNamespace string, needLead
 		LeaderElection:             needLeaderElection,
 		LeaderElectionResourceLock: resourcelock.ConfigMapsLeasesResourceLock,
 		LeaderElectionID:           "hyperconverged-cluster-operator-lock",
-		NewCache:                   getNewManagerCache(operatorNamespace),
+		Cache:                      getCacheOption(operatorNamespace),
 		Scheme:                     scheme,
 	}
 }

diff --git a/cmd/hyperconverged-cluster-webhook/main.go b/cmd/hyperconverged-cluster-webhook/main.go
@@ -2,10 +2,16 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"os"
+	"path/filepath"
+
+	"github.com/openshift/library-go/pkg/crypto"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	webhookscontrollers "github.com/kubevirt/hyperconverged-cluster-operator/controllers/webhooks"
+	"github.com/kubevirt/hyperconverged-cluster-operator/pkg/webhooks/validator"
 
 	csvv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -71,6 +77,16 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Make sure the certificates are mounted, this should be handled by the OLM
+	webhookCertDir := webhooks.GetWebhookCertDir()
+	certs := []string{filepath.Join(webhookCertDir, hcoutil.WebhookCertName), filepath.Join(webhookCertDir, hcoutil.WebhookKeyName)}
+	for _, fname := range certs {
+		if _, err := os.Stat(fname); err != nil {
+			logger.Error(err, "CSV certificates were not found, skipping webhook initialization")
+			cmdHelper.ExitOnError(err, "CSV certificates were not found, skipping webhook initialization")
+		}
+	}
+
 	// Setup Scheme for all resources
 	scheme := apiruntime.NewScheme()
 	cmdHelper.AddToScheme(scheme, resourcesSchemeFuncs)
@@ -84,6 +100,13 @@ func main() {
 		LivenessEndpointName:   hcoutil.LivenessEndpointName,
 		LeaderElection:         false,
 		Scheme:                 scheme,
+		WebhookServer: webhook.NewServer(webhook.Options{
+			CertDir:  webhooks.GetWebhookCertDir(),
+			CertName: hcoutil.WebhookCertName,
+			KeyName:  hcoutil.WebhookKeyName,
+			Port:     hcoutil.WebhookPort,
+			TLSOpts:  []func(*tls.Config){MutateTLSConfig},
+		}),
 	})
 	cmdHelper.ExitOnError(err, "failed to create manager")
 
@@ -157,3 +180,15 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+func MutateTLSConfig(cfg *tls.Config) {
+	// This callback executes on each client call returning a new config to be used
+	// please be aware that the APIServer is using http keepalive so this is going to
+	// be executed only after a while for fresh connections and not on existing ones
+	cfg.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
+		cipherNames, minTypedTLSVersion := validator.SelectCipherSuitesAndMinTLSVersion()
+		cfg.CipherSuites = crypto.CipherSuitesOrDie(crypto.OpenSSLToIANACipherSuites(cipherNames))
+		cfg.MinVersion = crypto.TLSVersionOrDie(string(minTypedTLSVersion))
+		return cfg, nil
+	}
+}
diff --git a/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml b/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml
@@ -427,7 +427,8 @@ spec:
                                             If Requests is omitted for a container,
                                             it defaults to Limits if that is explicitly
                                             specified, otherwise to an implementation-defined
-                                            value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                            value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                           type: object
                                       type: object
                                     selector:
@@ -887,7 +888,8 @@ spec:
                                             If Requests is omitted for a container,
                                             it defaults to Limits if that is explicitly
                                             specified, otherwise to an implementation-defined
-                                            value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                            value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                           type: object
                                       type: object
                                     selector:
@@ -2365,7 +2367,8 @@ spec:
                         description: 'Requests describes the minimum amount of compute
                           resources required. If Requests is omitted for a container,
                           it defaults to Limits if that is explicitly specified, otherwise
-                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                          to an implementation-defined value. Requests cannot exceed
+                          Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                         type: object
                     type: object
                 type: object
@@ -3905,7 +3908,8 @@ spec:
                                             If Requests is omitted for a container,
                                             it defaults to Limits if that is explicitly
                                             specified, otherwise to an implementation-defined
-                                            value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                            value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                           type: object
                                       type: object
                                     selector:
@@ -4365,7 +4369,8 @@ spec:
                                             If Requests is omitted for a container,
                                             it defaults to Limits if that is explicitly
                                             specified, otherwise to an implementation-defined
-                                            value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                            value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                           type: object
                                       type: object
                                     selector: