Merge branch 'master' into fix_cve_2024_48957_and_cve_2024_48958

.github/workflows/deploy.yml

@@ -18,7 +18,7 @@ jobs:
     outputs:
       skip: ${{ steps.check_docs_only.outputs.skip }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - id: check_docs_only
@@ -27,7 +27,7 @@ jobs:
         run: |
           REF="HEAD^"
           [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip::$(.github/workflows/check-docs-only.sh $REF)"
+          echo "skip=$(.github/workflows/check-docs-only.sh $REF)" >> $GITHUB_OUTPUT
 
   # Job to test release steps. This will only create a release remotely if run on a tagged commit.
   goreleaser:
@@ -39,7 +39,7 @@ jobs:
     environment: deploy
     steps:
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
@@ -77,33 +77,33 @@ jobs:
     steps:
 
     - name: set up qemu
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@v3
 
     - name: set up buildx
       uses: docker/setup-buildx-action@v3
 
     - name: quay.io login
       if: ${{ github.event_name != 'pull_request' }}
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.QUAY_USERNAME }}
         password: ${{ secrets.QUAY_PASSWORD }}
         registry: quay.io
 
     # Check out repo before tag step for script.
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: create tags
       id: tags
       run: |
         IMG=quay.io/${{ github.repository_owner }}/${{ matrix.id }}
-        echo ::set-output name=tags::$(.github/workflows/get_image_tags.sh "$IMG" "v")
+        echo tags=$(.github/workflows/get_image_tags.sh "$IMG" "v") >> $GITHUB_OUTPUT
 
     - name: build and push
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v6
       with:
         file: ./images/${{ matrix.id }}/Dockerfile
         context: .
@@ -123,33 +123,33 @@ jobs:
     steps:
 
     - name: set up qemu
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@v3
 
     - name: set up buildx
       uses: docker/setup-buildx-action@v3
 
     - name: quay.io login
       if: ${{ github.event_name != 'pull_request' }}
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.QUAY_USERNAME }}
         password: ${{ secrets.QUAY_PASSWORD }}
         registry: quay.io
 
     # Check out repo before tag step for script.
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: create tags
       id: tags
       run: |
         IMG=quay.io/${{ github.repository_owner }}/scorecard-test-kuttl
-        echo ::set-output name=tags::$(.github/workflows/get_image_tags.sh "$IMG" "scorecard-kuttl/v")
+        echo tags=$(.github/workflows/get_image_tags.sh "$IMG" "scorecard-kuttl/v") >> $GITHUB_OUTPUT
 
     - name: build and push
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v6
       with:
         file: ./images/scorecard-test-kuttl/Dockerfile
         context: .

.github/workflows/freshen-images.yml

@@ -18,7 +18,7 @@ jobs:
       git_tags: ${{ steps.tags.outputs.git_tags }}
     steps:
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - id: tags
@@ -35,17 +35,17 @@ jobs:
         id: ["operator-sdk", "helm-operator", "scorecard-test"]
     steps:
     - name: set up qemu
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@v3
     - name: set up buildx
       uses: docker/setup-buildx-action@v3
     - name: quay.io login
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.QUAY_USERNAME }}
         password: ${{ secrets.QUAY_PASSWORD }}
         registry: quay.io
     - name: checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 1
     - name: build and push

.github/workflows/integration.yml

@@ -9,7 +9,7 @@ jobs:
     outputs:
       skip: ${{ steps.check_docs_only.outputs.skip }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - id: check_docs_only
@@ -18,15 +18,15 @@ jobs:
         run: |
           REF="HEAD^"
           [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip::$(.github/workflows/check-docs-only.sh $REF)"
+          echo "skip=$(.github/workflows/check-docs-only.sh $REF)" >> $GITHUB_OUTPUT
 
   integration:
     name: integration
     runs-on: ubuntu-22.04
     needs: check_docs_only
     if: needs.check_docs_only.outputs.skip != 'true'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v5

.github/workflows/olm-check.yml

@@ -12,7 +12,7 @@ jobs:
     name: check-olm-minor-releases
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: run-check-olm
         run: ./hack/check-olm.sh
 

.github/workflows/test-go.yml

@@ -12,7 +12,7 @@ jobs:
     outputs:
       skip: ${{ steps.check_docs_only.outputs.skip }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - id: check_docs_only
@@ -21,15 +21,15 @@ jobs:
         run: |
           REF="HEAD^"
           [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip::$(.github/workflows/check-docs-only.sh $REF)"
+          echo "skip=$(.github/workflows/check-docs-only.sh $REF)" >> $GITHUB_OUTPUT
 
   e2e:
     name: e2e
     runs-on: ubuntu-22.04
     needs: check_docs_only
     if: needs.check_docs_only.outputs.skip != 'true'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v5
@@ -44,7 +44,7 @@ jobs:
     needs: check_docs_only
     if: needs.check_docs_only.outputs.skip != 'true'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v5

.github/workflows/test-helm.yml

@@ -9,7 +9,7 @@ jobs:
     outputs:
       skip: ${{ steps.check_docs_only.outputs.skip }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - id: check_docs_only
@@ -18,15 +18,15 @@ jobs:
         run: |
           REF="HEAD^"
           [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip::$(.github/workflows/check-docs-only.sh $REF)"
+          echo "skip=$(.github/workflows/check-docs-only.sh $REF)" >> $GITHUB_OUTPUT
 
   e2e:
     name: e2e
     runs-on: ubuntu-22.04
     needs: check_docs_only
     if: needs.check_docs_only.outputs.skip != 'true'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v5

.github/workflows/test-sample-go.yml

@@ -9,7 +9,7 @@ jobs:
     outputs:
       skip: ${{ steps.check_docs_only.outputs.skip }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - id: check_docs_only
@@ -18,15 +18,15 @@ jobs:
         run: |
           REF="HEAD^"
           [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip::$(.github/workflows/check-docs-only.sh $REF)"
+          echo "skip=$(.github/workflows/check-docs-only.sh $REF)" >> $GITHUB_OUTPUT
 
   e2e:
     name: e2e
     runs-on: ubuntu-22.04
     needs: check_docs_only
     if: needs.check_docs_only.outputs.skip != 'true'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v5

.github/workflows/test-sanity.yml

@@ -9,7 +9,7 @@ jobs:
     outputs:
       skip: ${{ steps.check_docs_only.outputs.skip }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - id: check_docs_only
@@ -26,7 +26,7 @@ jobs:
     needs: check_docs_only
     if: needs.check_docs_only.outputs.skip != 'true'
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - uses: actions/setup-go@v5
@@ -40,12 +40,12 @@ jobs:
     name: docs
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
         submodules: recursive
     - run: make test-docs
-    - uses: gaurav-nelson/github-action-markdown-link-check@1.0.13
+    - uses: gaurav-nelson/github-action-markdown-link-check@v1
       with:
         max-depth: 1
         config-file: '.github/workflows/markdown-link-check-config.json'

Makefile

@@ -4,12 +4,12 @@ SHELL = /bin/bash
 # This value must be updated to the release tag of the most recent release, a change that must
 # occur in the release commit. IMAGE_VERSION will be removed once each subproject that uses this
 # version is moved to a separate repo and release process.
-export IMAGE_VERSION = v1.35.0
+export IMAGE_VERSION = v1.38.0
 # Build-time variables to inject into binaries
 export SIMPLE_VERSION = $(shell (test "$(shell git describe --tags)" = "$(shell git describe --tags --abbrev=0)" && echo $(shell git describe --tags)) || echo $(shell git describe --tags --abbrev=0)+git)
 export GIT_VERSION = $(shell git describe --dirty --tags --always)
 export GIT_COMMIT = $(shell git rev-parse HEAD)
-export K8S_VERSION = 1.28.0
+export K8S_VERSION = 1.30.0
 
 # Build settings
 export TOOLS_DIR = tools/bin
@@ -44,7 +44,7 @@ generate: build # Generate CLI docs and samples
 	$(GO) generate ./...
 
 .PHONY: bindata
-OLM_VERSIONS = 0.25.0 0.26.0 0.27.0
+OLM_VERSIONS = 0.26.0 0.27.0 0.28.0
 bindata: ## Update project bindata
 	./hack/generate/olm_bindata.sh $(OLM_VERSIONS)
 	$(MAKE) fix
@@ -176,12 +176,12 @@ cluster-create::
 
 .PHONY: dev-install
 dev-install::
-	$(SCRIPTS_DIR)/fetch kind 0.17.0
+	$(SCRIPTS_DIR)/fetch kind 0.23.0
 	$(SCRIPTS_DIR)/fetch kubectl $(K8S_VERSION) # Install kubectl AFTER envtest because envtest includes its own kubectl binary
 
 .PHONY: test-e2e-teardown
 test-e2e-teardown:
-	$(SCRIPTS_DIR)/fetch kind 0.17.0
+	$(SCRIPTS_DIR)/fetch kind 0.23.0
 	$(TOOLS_DIR)/kind delete cluster --name $(KIND_CLUSTER)
 	rm -f $(KUBECONFIG)
 

README.md

@@ -1,5 +1,14 @@
 <img src="website/static/operator_logo_sdk_color.svg" height="125px"></img>
 
+> ⚠️ **IMPORTANT NOTICE:** Images under `gcr.io/kubebuilder/` Will Be Unavailable Soon
+>
+> **If your project uses `gcr.io/kubebuilder/kube-rbac-proxy`** it will be affected.
+> Your project may fail to work if the image cannot be pulled. **You must move as soon as possible**, sometime from early 2025, the GCR will go away.
+>
+> The usage of the project [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) was discontinued from Kubebuilder and Operator-SDK.
+> It was replaced for similar protection using `authn/authz` via Controller-Runtime's feature [WithAuthenticationAndAuthorization](https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization).
+>
+> For more information and guidance see the discussion https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
 
 [![Build Status](https://github.com/operator-framework/operator-sdk/workflows/deploy/badge.svg)](https://github.com/operator-framework/operator-sdk/actions)
 [![License](http://img.shields.io/:license-apache-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0.html)

changelog/generated/v1.36.0.md

@@ -0,0 +1,5 @@
+## v1.36.0
+
+### Changes
+
+- - Upgrade Kubernetes dependencies from `1.28` to `1.29`. ([#6736](https://github.com/operator-framework/operator-sdk/pull/6736))

changelog/generated/v1.37.0.md

@@ -0,0 +1,6 @@
+## v1.37.0
+
+### Removals
+
+- **Breaking change**: Remove the Quarkus plugin (java-operator-plugins integration). ([#6824](https://github.com/operator-framework/operator-sdk/pull/6824))
+- **Breaking change**: (hybrid.helm/v1-alpha) Remove hybrid-helm v1-alpha support, due to low adoption, in favor of maintenance simplicity. ([#6833](https://github.com/operator-framework/operator-sdk/pull/6833))

changelog/generated/v1.38.0.md

@@ -0,0 +1,11 @@
+## v1.38.0
+
+### Changes
+
+- For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.30 API's and Kubebuilder v4 Scaffolding, specifically utilizing the v4.1.1 version. The update to Kubebuiler results in some scaffolding changes which more information can be found below: - Discontinue usage of [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) in the default scaffolding of new projects. For further information, see: [Action Required: Ensure that you no longer use gcr.io/kubebuilder images](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907) - The `go/v2` or `go/v3` layouts have been removed, you must upgrade to `go/v4` to be compatible with this release and future updates. To know how to upgrade,check the [migration documentation](https://book.kubebuilder.io/migration/v3vsv4). - Re-introduces authn/authz protection for the metrics endpoint using [`WithAuthenticationAndAuthorization`](https://github.com/kubernetes-sigs/controller-runtime/blob/v0.18.4/pkg/metrics/filters/filters.go#L35)  provided by controller-runtime instead of kube-rbac-proxy; which usage was [discontinued in the project](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907).  Please, ensure that you no longer use the image `gcr.io/kubebuilder/kube-rbac-proxy`. Images provided under `gcr.io/kubebuilder/` will be unavailable from **March 18, 2025**. To learn more about any of the metrics changes please look at the Kubebuilder book [metrics](https://book.kubebuilder.io/reference/metrics) page.
+For `Helm-based` and `Ansible-based` operators, a new flag called `metrics-require-rbac` was introduced into the runtime/binary, to control adding  [`WithAuthenticationAndAuthorization`](https://github.com/kubernetes-sigs/controller-runtime/blob/v0.18.4/pkg/metrics/filters/filters.go#L35) to `Metrics.FilterProvider` of controller-runtime. This was done to ensure forwards and backwards compatibility of the binary and images with any scaffolded content. ([#6862](https://github.com/operator-framework/operator-sdk/pull/6862))
+
+### Bug Fixes
+
+- An additional condition is included for matching `apiVersion` of example CRs with CRD `version` when searching for the CRD in the CSV.  Previously, The `olm-spec-descriptors` scorecard test failed when multiple versions of CRD is included in the CSV.  The CR specified in `alm-examples` annotations are validated only against the first matched CRD (by name), which is incorrect.  This ensures the correct CRD version is selected for validations. ([#6784](https://github.com/operator-framework/operator-sdk/pull/6784))
+- Fix naive YAML split in `run bundle` command. ([#6829](https://github.com/operator-framework/operator-sdk/pull/6829))