diff --git a/Makefile b/Makefile index c49ba82306b..51b63749e20 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ SHELL = /bin/bash # This value must be updated to the release tag of the most recent release, a change that must # occur in the release commit. IMAGE_VERSION will be removed once each subproject that uses this # version is moved to a separate repo and release process. -export IMAGE_VERSION = v1.39.2 +export IMAGE_VERSION = v1.40.0 # Build-time variables to inject into binaries export SIMPLE_VERSION = $(shell (test "$(shell git describe --tags)" = "$(shell git describe --tags --abbrev=0)" && echo $(shell git describe --tags)) || echo $(shell git describe --tags --abbrev=0)+git) export GIT_VERSION = $(shell git describe --dirty --tags --always) diff --git a/changelog/fragments/generalize-container-tool.yaml b/changelog/fragments/generalize-container-tool.yaml deleted file mode 100644 index c17e92bcfa9..00000000000 --- a/changelog/fragments/generalize-container-tool.yaml +++ /dev/null @@ -1,5 +0,0 @@ -entries: - - description: > - The bundle build target now respects the CONTAINER_TOOL variable, allowing users to use alternative container tools like podman instead of docker. - kind: "change" - breaking: false \ No newline at end of file diff --git a/changelog/fragments/upgrade-opm.yaml b/changelog/fragments/upgrade-opm.yaml deleted file mode 100644 index 58802440e26..00000000000 --- a/changelog/fragments/upgrade-opm.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# entries is a list of entries to include in -# release notes and/or the migration guide -entries: - - description: > - For All-based Operators, upgrade OPM to version from `v1.23.0` to `v1.55.0`, which includes several bug fixes and - improvements. For further information, see: https://github.com/operator-framework/operator-registry/releases - kind: "change" - breaking: false - migration: - header: Upgrade OPM version to v1.55.0 in the Makefile - body: | - Update the OPM version in your Makefile to `v1.55.0`: - - ```makefile - -const opmVersion = "v1.23.0" - +const opmVersion = "v1.55.0" - ``` - - ```makefile - - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ - + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\ - ``` diff --git a/changelog/fragments/upgrade_kubebuilder_deps.yaml b/changelog/fragments/upgrade_kubebuilder_deps.yaml deleted file mode 100644 index 49cd17587c0..00000000000 --- a/changelog/fragments/upgrade_kubebuilder_deps.yaml +++ /dev/null @@ -1,612 +0,0 @@ -# entries is a list of entries to include in -# release notes and/or the migration guide -entries: - - description: > - (go/v4) For Go-based operators, a devcontainer is now available to allow users to - develop and test the operator in a local environment and leverage on solutions - such as VS Code Remote Containers and GitHub Codespaces to have a consistent - development environment. - kind: "addition" - breaking: false - migration: - header: Add a devcontainer for Go-based operators - body: | - Create the devcontainer configuration in the root of the repository - under `.devcontainer`. - 1. Create a new directory called `.devcontainer` in the root of your project. - 2. Copy the contents of the [testdata/go/v4/memcached-operator/.devcontainer](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/.devcontainer) - available in the Operator SDK repository for the tag release `v1.40.0`. - - description: > - (go/v4) For Go-based operators, new GitHub Actions are available to ensure better - quality of their code. - kind: "addition" - breaking: false - migration: - header: Add new GitHub actions for Go-based operators - body: | - Add the actions configuration in the `.github/workflows` directory. - The new actions are: - - lint.yaml: Lint the code using golangci-lint - - test.yaml: Run the tests using go test - - test-e2e.yaml: Run the e2e tests using go test - You can obtain this configuration to be added - to your project by looking at the files available - in `testdata/go/v4/memcached-operator/.github/workflows` for this release. - [testdata/go/v4/memcached-operator/.github/workflows](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/.github/workflows) - - description: > - (go/v4) For Go-based Operators, the `main.go` file has been enhanced to support real TLS certificates - for both webhooks and the metrics server, with automated certificate rotation via cert-manager. - This change improves security and aligns with production-grade best practices. - - Previously, setups relied on kube-rbac-proxy (deprecated in Operator SDK and Kubebuilder, - see: [kubebuilder/discussions/3907](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907)), - which generated TLS certificates dynamically — a method no longer recommended for secure environments. - The updated approach adopts static certificates managed by cert-manager. - - Additionally, integrations with Prometheus now support scraping metrics using the cert-manager - generated certificates. A related fix was introduced to ensure that CA injection patches are only applied - to CRDs with a conversion webhook, avoiding unnecessary annotations. - - To support these improvements, changes to `config/default/kustomization.yaml` are required. These include: - configuring webhook and metrics server certificates, enabling Prometheus scraping with TLS, and - correcting CA injection behavior. - - These updates also introduce flexible opt-in mechanisms, allowing users to selectively enable or disable: - - TLS for the metrics server via cert-manager - - TLS for webhooks via cert-manager - - TLS configuration for Prometheus scraping - - Together, these changes are part of a broader effort to elevate the default security posture and configurability - of Go-based operators. - kind: "change" - breaking: false - migration: - header: Update your project to properly support TLS certificates for webhooks and metrics server - body: | - 1. Update the `main.go` file in your project to support TLS certificates for webhooks and metrics server. - - - Add the new flag definitions to accept custom certificate file paths and names: - - ```go - func main() { - ... - var metricsCertPath, metricsCertName, metricsCertKey string - var webhookCertPath, webhookCertName, webhookCertKey string - ... - flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.") - flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.") - flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.") - flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") - flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") - flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") - ``` - - - After this conditional check: - - ```go - if !enableHTTP2 { - tlsOpts = append(tlsOpts, disableHTTP2) - } - ``` - - Insert the following code to configure certificate watchers for webhooks and metrics: - - ```go - var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher - webhookTLSOpts := tlsOpts - - if len(webhookCertPath) > 0 { - setupLog.Info("Initializing webhook certificate watcher using provided certificates", - "webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) - - var err error - webhookCertWatcher, err = certwatcher.New( - filepath.Join(webhookCertPath, webhookCertName), - filepath.Join(webhookCertPath, webhookCertKey), - ) - if err != nil { - setupLog.Error(err, "Failed to initialize webhook certificate watcher") - os.Exit(1) - } - - webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) { - config.GetCertificate = webhookCertWatcher.GetCertificate - }) - } - ``` - - - Update the webhook server TLS options: - - Replace: - ```go - TLSOpts: tlsOpts, - ``` - - With: - ```go - TLSOpts: webhookTLSOpts, - ``` - - - Before initializing the manager, configure the metrics certificate watcher if metrics certs are provided: - - ```go - if len(metricsCertPath) > 0 { - setupLog.Info("Initializing metrics certificate watcher using provided certificates", - "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) - - var err error - metricsCertWatcher, err = certwatcher.New( - filepath.Join(metricsCertPath, metricsCertName), - filepath.Join(metricsCertPath, metricsCertKey), - ) - if err != nil { - setupLog.Error(err, "Failed to initialize metrics certificate watcher") - os.Exit(1) - } - - metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { - config.GetCertificate = metricsCertWatcher.GetCertificate - }) - } - - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - ... - }) - ``` - - - Before calling `AddHealthzCheck`, ensure the certificate watchers are registered with the manager: - - ```go - if metricsCertWatcher != nil { - setupLog.Info("Adding metrics certificate watcher to manager") - if err := mgr.Add(metricsCertWatcher); err != nil { - setupLog.Error(err, "Unable to add metrics certificate watcher to manager") - os.Exit(1) - } - } - - if webhookCertWatcher != nil { - setupLog.Info("Adding webhook certificate watcher to manager") - if err := mgr.Add(webhookCertWatcher); err != nil { - setupLog.Error(err, "Unable to add webhook certificate watcher to manager") - os.Exit(1) - } - } - - if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { - setupLog.Error(err, "Unable to set up health check") - os.Exit(1) - } - ``` - - Note that you can use as reference the `main.go` file available in the - Operator SDK repository for the tag release `v1.40.0` to see how the code should look like, - see: [testdata/go/v4/memcached-operator/cmd/main.go](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/cmd/main.go) - - 2. Add the new certificates in the `config/certmanager` directory: - - - Add the new files: - - `certificate-metrics.yaml` with the content: [testdata/go/v4/memcached-operator/config/certmanager/certificate-metrics.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/certmanager/certificate-metrics.yaml) - - `issuer.yaml` with the content: [testdata/go/v4/memcached-operator/config/certmanager/issuer.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/certmanager/issuer.yaml) - - - Rename certificate.yaml to `certificate-webhook.yaml` - - - Update the `kustomization.yaml` file to include the new files and remove the old ones: - Replace: `- certificate.yaml` - - With: - ```yaml - resources: - - certificate-metrics.yaml - - certificate-webhook.yaml - - issuer.yaml - ``` - **NOTE**: You can see the complete file in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/certmanager/kustomization.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/certmanager/kustomization.yaml) - - 3. Update the `config/default/kustomization.yaml` to allow work with the new options: - - Under `patches` ensure that you have: - - ``` - patches: - ... - # Uncomment the patches line if you enable Metrics and CertManager - # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. - # This patch will protect the metrics with certManager self-signed certs. - - path: cert_metrics_manager_patch.yaml - target: - kind: Deployment - - # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in - # crd/kustomization.yaml - - path: manager_webhook_patch.yaml - target: - kind: Deployment - ... - ``` - - Under the replacements section, replace: - - ```yaml - - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldPath: .metadata.namespace # namespace of the certificate CR - targets: - - select: - kind: ValidatingWebhookConfiguration - fieldPaths: - - .metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 0 - create: true - - select: - kind: MutatingWebhookConfiguration - fieldPaths: - - .metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 0 - create: true - - select: - kind: CustomResourceDefinition - fieldPaths: - - .metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 0 - create: true - ``` - - With: the code from Kubebuilder samples [testdata/project-v4/config/default/kustomization.yaml](https://github.com/kubernetes-sigs/kubebuilder/blob/v4.5.2/testdata/project-v4/config/default/kustomization.yaml#L60-L155) - - **NOTE:** You can see the complete file in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/default/kustomization.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/kustomization.yaml) - - 4. Add the new file to allow patch the certs for the metrics: [testdata/go/v4/memcached-operator/config/default/cert_metrics_manager_patch.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/cert_metrics_manager_patch.yaml) - 5. Replace the content of `config/default/manager_webhook_patch.yaml` with: [testdata/go/v4/memcached-operator/config/default/config/default/manager_webhook_patch.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/config/default/manager_webhook_patch.yaml) - 6. Update the `config/manager/manager.yaml` to include the ports and volumes to allow the patch to work properly: - - ``` - ... - env: - - name: MEMCACHED_IMAGE - value: memcached:1.4.36-alpine - + ports: [] - ... - ``` - - ``` - ... - requests: - cpu: 10m - memory: 64Mi - + volumeMounts: [] - + volumes: [] - serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 - ... - ``` - - description: > - (go/v4) For Go-based operators, a fix has been implemented to ensure that the Prometheus - configuration can properly scrape metrics from the operator's metrics server - when TLS is enabled. - kind: "change" - breaking: false - migration: - header: Update your project to properly support TLS for Prometheus scraping - body: | - **Changes required under the hood `config/prometheus/`** - - - 1. Update the `config/prometheus/kutomization.yaml` add at the bottom: - - ```yaml - # [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus - # to securely reference certificates created and managed by cert-manager. - # Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml - # to mount the "metrics-server-cert" secret in the Manager Deployment. - #patches: - # - path: monitor_tls_patch.yaml - # target: - # kind: ServiceMonitor - ``` - - - 2. Add the file [config/prometheus/monitor_tls_patch.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/prometheus/monitor_tls_patch.yaml) to do the patch for the ServiceMonitor. - - description: > - (go/v4) For Go-based operators, a fix has been implemented to ensure that CA injection patches - are applied only to CRDs that define a conversion webhook. - - Previously, the CA injection patch logic was overly broad — applying injection annotations - to all CRDs whenever a webhook was scaffolded with the `--conversion` flag. This behavior - was introduced in Kubebuilder release `v3.5.0` when replacements were introduced in place of legacy vars - and the `kustomize/v2-alpha` plugin was adopted. - - The incorrect behavior likely went unnoticed due to incomplete support for conversion webhooks - in earlier versions. This release addresses that gap, enabling proper scaffolding and CA injection - behavior specifically for CRDs with conversion webhooks. - - To support this improvement, a new marker has been introduced: - `+kubebuilder:scaffold:crdkustomizecainjectionns`. This marker ensures that - the correct replacements are generated in `config/default/kustomization.yaml` - for CA injection. Additionally, the `kubebuilder:scaffold:crdkustomizewebhookpatch` - marker was created to ensure that the webhook patch is only applied to CRDs - that have a conversion webhook in the `config/crd/kustomization.yaml` file. - - For more information on this and other scaffolding markers, - refer to the official Kubebuilder documentation: - https://book.kubebuilder.io/reference/markers/scaffold - kind: "change" - breaking: false - migration: - header: Update your project to properly support CA injection for CRDs with conversion webhooks - body: | - **Changes required under the hood `config/crd/`** - - - 1. Update the `config/crd/kustomization.yaml` for the file to include the new marker - `+kubebuilder:scaffold:crdkustomizewebhookpatch` for the tool be able to inject - the path for any new CRD that is created with the `--conversion` flag. - - 2. Ensure that under the patches section you have only patches for the CRDs which - are created with the `--conversion` flag. - - 3. Remove the files prefixed with `cainjection_.yaml`. You should have only - the files prefixed with `webhookpatch_.yaml` for the CRDs that have the - `--conversion` flag. ([example](https://github.com/kubernetes-sigs/kubebuilder/tree/v4.5.2/testdata/project-v4/config/crd/patches)) - - **Changes required under the hood `config/default/`** - - - 1. Update the `config/default/kustomization.yaml` for the file to include the new marker - `+kubebuilder:scaffold:crdkustomizecainjectionns` for the tool be able to inject for any new CRD - that is created with the `--conversion` flag as well to have commented the default replacement. - For further information see an example in Kubebuilder testdata samples [testdata/project-v4/config/default/kustomization.yaml](https://github.com/kubernetes-sigs/kubebuilder/blob/7c707052daa2e8bd51f47548c02710b1f1f7a77e/testdata/project-v4/config/default/kustomization.yaml#L157-L252). - - **NOTE:** You can see the complete file in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/default/kustomization.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/kustomization.yaml) - - description: > - (go/v4) For Go-based operators, controllers now use `.Named("")` in - `SetupWithManager` to prevent naming conflicts in multi-group projects. - ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4162)) - - kind: addition - breaking: false - - migration: - header: Use `.Named("")` in SetupWithManager for controller registration - body: | - To improve clarity and avoid naming collisions in multi-group Go-based operator projects, - each controller's `SetupWithManager` call now includes an explicit `.Named("")` declaration. - - Example change: - ```go - func (r *DeploymentReconciler) SetupWithManager(mgr ctrl.Manager) error { - return ctrl.NewControllerManagedBy(mgr). - For(&appsv1.Deployment{}). - Named("apps-deployment"). - Complete(r) - } - ``` - - This ensures controller names are unique and consistent across different APIs in multi-group scenarios, - which improves controller lifecycle management and logging. - - description: > - (go/v4) For Go-based operators, ENVTEST version management is now automated by - deriving values from `go.mod`, and controller tests now locate binaries dynamically. - ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4401)) - - These updates improve the developer experience by: - - Reducing manual configuration for ENVTEST. - - Ensuring IDEs or test runners can locate the binaries reliably. - - Making controller test scaffolding more robust and portable. - - kind: change - breaking: false - - migration: - header: ENVTEST version automation and improved test binary discovery - body: | - The SDK now automates the setup of ENVTEST for Go-based operators by dynamically deriving - the required versions from `go.mod` rather than requiring manual updates in the Makefile. - - 1. Update the `Makefile`: - - The variables `ENVTEST_VERSION` and `ENVTEST_K8S_VERSION` are now computed using `go list`: - ```makefile - ENVTEST_VERSION := $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}') - ENVTEST_K8S_VERSION := $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}') - ``` - - A new target `setup-envtest` was introduced to automatically install the binaries: - ```makefile - .PHONY: setup-envtest - setup-envtest: - @$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \ - echo "Error setting up envtest"; exit 1; } - ``` - - The `test` target now depends on `setup-envtest` to ensure binaries are ready before running tests. - - 2. Update the suite_test.go files for controllers and webhooks: - In each `internal/controller/suite_test.go` and `internal/webhook//webhook/suite_test.go` file: - - A new helper function `getFirstFoundEnvTestBinaryDir()` was added: - ```go - func getFirstFoundEnvTestBinaryDir() string { - basePath := filepath.Join("..", "..", "..", "bin", "k8s") - entries, err := os.ReadDir(basePath) - if err != nil { - logf.Log.Error(err, "Failed to read directory", "path", basePath) - return "" - } - for _, entry := range entries { - if entry.IsDir() { - return filepath.Join(basePath, entry.Name()) - } - } - return "" - } - ``` - - `testEnv.BinaryAssetsDirectory` now uses this helper to locate installed ENVTEST binaries: - ```go - testEnv = &envtest.Environment{ - BinaryAssetsDirectory: getFirstFoundEnvTestBinaryDir(), - ... - } - ``` - - description: > - (go/v4) For Go-based operators, updated GolangCI-Lint configuration to replace - the deprecated `exportloopref` linter with the `copyloopvar` linter. - - kind: change - breaking: false - - migration: - header: Replace `exportloopref` with `copyloopvar` in `.golangci.yaml` - body: | - The `exportloopref` linter has been deprecated in recent versions of GolangCI-Lint. - It is now replaced with the more accurate and actively maintained `copyloopvar` linter. - - Update your `.golangci.yaml` file by replacing: - ```yaml - - exportloopref - ``` - With: - ```yaml - - copyloopvar - ``` - - description: > - (go/v4) For Go-based operators, a new Makefile target named `lint-config` has been added to verify that your `.golangci.yaml` - configuration file is valid. This helps catch issues early when customizing lint rules. - - ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4462)) - - kind: addition - breaking: false - - migration: - header: Add `lint-config` target to Makefile to verify linter configuration - body: | - The target uses the `config verify` subcommand provided by `golangci-lint`: - - ```makefile - .PHONY: lint-config - lint-config: golangci-lint ## Verify golangci-lint linter configuration - $(GOLANGCI_LINT) config verify - ``` - - description: > - (go/v4) For Go-based operators, upgraded project scaffolding to Go 1.23, - Kubernetes v0.32.1, and controller-runtime v0.20.4. - - The default project scaffolding for Go-based operators has been updated to use: - - **Go 1.23** - - **Kubernetes modules v0.32.1** - - **controller-runtime v0.20.4** - - **Ginkgo v2.22.0** and **Gomega v1.36.1** - - kind: change - breaking: false - - migration: - header: Upgrade to Go 1.23 and Kubernetes v0.32.1 dependencies - body: | - 1. Update your `go.mod` to reflect the new versions: - ```go - go 1.23 - - require ( - github.com/onsi/ginkgo/v2 v2.22.0 - github.com/onsi/gomega v1.36.1 - k8s.io/api v0.32.1 - k8s.io/apimachinery v0.32.1 - k8s.io/client-go v0.32.1 - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 - sigs.k8s.io/controller-runtime v0.20.4 - ) - ``` - - 2. Update the Go toolchain in your `Dockerfile` to match: - ```dockerfile - FROM golang:1.23 AS builder - ``` - - description: > - (go/v4) For Go-based operators, upgraded controller-runtime from `v0.19.4` to `v0.20.0` and added support for Kubernetes 1.32. - Removed deprecated `webhook.Validator` and `webhook.Defaulter` interfaces from the runtime. - Webhooks should no longer reside under the `api/` directory—this has been the default behavior since Kubebuilder - rlease [v4.3.0)(https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0). - - A `--legacy=true` flag was added to support scaffolding webhooks in the old layout when needed. - ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4492) · - [Migration guide](https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0)) - kind: change - breaking: true - migration: - header: You must change your webhooks implementation to be able to use controller-runtime v0.20.0+ - body: | - If you have no webhooks, you can skip this migration. Otherwise, ensure that you check the described - steps to update your project in the release notes of Kubebuilder `v4.3.0` release: https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0 - - description: > - For ALL-based operators, scaffolded resources now include the `app.kubernetes.io/name` label to support - Kubernetes best practices for app identification. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4437/files)) - - kind: addition - breaking: false - - migration: - header: Add `app.kubernetes.io/name` label to your manifests - body: | - The Operator SDK now adds the `app.kubernetes.io/name` label to scaffolded Kubernetes - manifests such as Deployments, Services, and RBAC resources. This label aligns with - Kubernetes labeling conventions and improves compatibility with observability and automation tools. - - If upgrading from a previous version, you may want to add the following label manually - to your existing manifests: - - ```yaml - metadata: - labels: - app.kubernetes.io/name: - ``` - - description: > - For ALL-based operators, new role manifests are now scaffolded under the `config/rbac/` directory - to assist cluster administrators. For each API defined in the project, three role files are generated: - `_admin_role.yaml`, `_editor_role.yaml`, and `_viewer_role.yaml`. - - These roles are not applied by default. Instead, they are provided as helpers, allowing cluster - administrators to customize and apply appropriate permissions as needed. - - The primary motivation for scaffolding these roles is to simplify integration with Kubernetes' - aggregated roles mechanism. By including annotations such as - `rbac.authorization.k8s.io/aggregate-to-admin: "true"`, - `rbac.authorization.k8s.io/aggregate-to-edit: "true"`, and - `rbac.authorization.k8s.io/aggregate-to-view: "true"`, these role definitions can automatically - contribute permissions to the default admin, edit, and view roles in a cluster when applied. - - For more information on Kubernetes RBAC and aggregated roles, see: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - kind: "addition" - breaking: false - migration: - header: With you wish manually add those roles to your project - body: | - See the permissions and RBAC generate as an example to know how properly - create those files for each CRD you have in your project by looking at the - sample in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/rbac](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/rbac) - - description: > - For ALL-based operators, new role manifests are now scaffolded under the `config/rbac/` directory - to assist cluster administrators. For each API defined in the project, three role files are generated: - `_admin_role.yaml`, `_editor_role.yaml`, and `_viewer_role.yaml`. - - These roles are not applied by default. Instead, they are provided as helpers, allowing cluster - administrators to customize and apply appropriate permissions as needed. - - The primary motivation for scaffolding these roles is to simplify integration with Kubernetes' - aggregated roles mechanism. By including annotations such as - `rbac.authorization.k8s.io/aggregate-to-admin: "true"`, - `rbac.authorization.k8s.io/aggregate-to-edit: "true"`, and - `rbac.authorization.k8s.io/aggregate-to-view: "true"`, these role definitions can automatically - contribute permissions to the default admin, edit, and view roles in a cluster when applied. - - For more information on Kubernetes RBAC and aggregated roles, see: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - kind: "addition" - breaking: false - migration: - header: With you wish manually add those roles to your project - body: | - See the permissions and RBAC generate as an example to know how properly - create those files for each CRD you have in your project by looking at the - sample in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/rbac](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/rbac) diff --git a/changelog/generated/v1.40.0.md b/changelog/generated/v1.40.0.md new file mode 100644 index 00000000000..d01648c9617 --- /dev/null +++ b/changelog/generated/v1.40.0.md @@ -0,0 +1,46 @@ +## v1.40.0 + +### Additions + +- (go/v4) For Go-based operators, a devcontainer is now available to allow users to develop and test the operator in a local environment and leverage on solutions such as VS Code Remote Containers and GitHub Codespaces to have a consistent development environment. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, new GitHub Actions are available to ensure better quality of their code. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, controllers now use `.Named("")` in `SetupWithManager` to prevent naming conflicts in multi-group projects. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4162)). ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, a new Makefile target named `lint-config` has been added to verify that your `.golangci.yaml` configuration file is valid. This helps catch issues early when customizing lint rules. +([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4462)). ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- For ALL-based operators, scaffolded resources now include the `app.kubernetes.io/name` label to support Kubernetes best practices for app identification. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4437/files)). ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- For ALL-based operators, new role manifests are now scaffolded under the `config/rbac/` directory to assist cluster administrators. For each API defined in the project, three role files are generated: `_admin_role.yaml`, `_editor_role.yaml`, and `_viewer_role.yaml`. +These roles are not applied by default. Instead, they are provided as helpers, allowing cluster administrators to customize and apply appropriate permissions as needed. +The primary motivation for scaffolding these roles is to simplify integration with Kubernetes' aggregated roles mechanism. By including annotations such as `rbac.authorization.k8s.io/aggregate-to-admin: "true"`, `rbac.authorization.k8s.io/aggregate-to-edit: "true"`, and `rbac.authorization.k8s.io/aggregate-to-view: "true"`, these role definitions can automatically contribute permissions to the default admin, edit, and view roles in a cluster when applied. +For more information on Kubernetes RBAC and aggregated roles, see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- For ALL-based operators, new role manifests are now scaffolded under the `config/rbac/` directory to assist cluster administrators. For each API defined in the project, three role files are generated: `_admin_role.yaml`, `_editor_role.yaml`, and `_viewer_role.yaml`. +These roles are not applied by default. Instead, they are provided as helpers, allowing cluster administrators to customize and apply appropriate permissions as needed. +The primary motivation for scaffolding these roles is to simplify integration with Kubernetes' aggregated roles mechanism. By including annotations such as `rbac.authorization.k8s.io/aggregate-to-admin: "true"`, `rbac.authorization.k8s.io/aggregate-to-edit: "true"`, and `rbac.authorization.k8s.io/aggregate-to-view: "true"`, these role definitions can automatically contribute permissions to the default admin, edit, and view roles in a cluster when applied. +For more information on Kubernetes RBAC and aggregated roles, see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) + +### Changes + +- The bundle build target now respects the CONTAINER_TOOL variable, allowing users to use alternative container tools like podman instead of docker. ([#6932](https://github.com/operator-framework/operator-sdk/pull/6932)) +- For All-based Operators, upgrade OPM to version from `v1.23.0` to `v1.55.0`, which includes several bug fixes and improvements. For further information, see: https://github.com/operator-framework/operator-registry/releases. ([#6953](https://github.com/operator-framework/operator-sdk/pull/6953)) +- (go/v4) For Go-based Operators, the `main.go` file has been enhanced to support real TLS certificates for both webhooks and the metrics server, with automated certificate rotation via cert-manager. This change improves security and aligns with production-grade best practices. +Previously, setups relied on kube-rbac-proxy (deprecated in Operator SDK and Kubebuilder, see: [kubebuilder/discussions/3907](https://github.com/kubernetes-sigs/kubebuilder/discussions/3907)), which generated TLS certificates dynamically — a method no longer recommended for secure environments. The updated approach adopts static certificates managed by cert-manager. +Additionally, integrations with Prometheus now support scraping metrics using the cert-manager generated certificates. A related fix was introduced to ensure that CA injection patches are only applied to CRDs with a conversion webhook, avoiding unnecessary annotations. +To support these improvements, changes to `config/default/kustomization.yaml` are required. These include: configuring webhook and metrics server certificates, enabling Prometheus scraping with TLS, and correcting CA injection behavior. +These updates also introduce flexible opt-in mechanisms, allowing users to selectively enable or disable: - TLS for the metrics server via cert-manager - TLS for webhooks via cert-manager - TLS configuration for Prometheus scraping +Together, these changes are part of a broader effort to elevate the default security posture and configurability of Go-based operators. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, a fix has been implemented to ensure that the Prometheus configuration can properly scrape metrics from the operator's metrics server when TLS is enabled. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, a fix has been implemented to ensure that CA injection patches are applied only to CRDs that define a conversion webhook. +Previously, the CA injection patch logic was overly broad — applying injection annotations to all CRDs whenever a webhook was scaffolded with the `--conversion` flag. This behavior was introduced in Kubebuilder release `v3.5.0` when replacements were introduced in place of legacy vars and the `kustomize/v2-alpha` plugin was adopted. +The incorrect behavior likely went unnoticed due to incomplete support for conversion webhooks in earlier versions. This release addresses that gap, enabling proper scaffolding and CA injection behavior specifically for CRDs with conversion webhooks. +To support this improvement, a new marker has been introduced: `+kubebuilder:scaffold:crdkustomizecainjectionns`. This marker ensures that the correct replacements are generated in `config/default/kustomization.yaml` for CA injection. Additionally, the `kubebuilder:scaffold:crdkustomizewebhookpatch` marker was created to ensure that the webhook patch is only applied to CRDs that have a conversion webhook in the `config/crd/kustomization.yaml` file. +For more information on this and other scaffolding markers, refer to the official Kubebuilder documentation: https://book.kubebuilder.io/reference/markers/scaffold. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, ENVTEST version management is now automated by deriving values from `go.mod`, and controller tests now locate binaries dynamically. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4401)) +These updates improve the developer experience by: - Reducing manual configuration for ENVTEST. - Ensuring IDEs or test runners can locate the binaries reliably. - Making controller test scaffolding more robust and portable. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, updated GolangCI-Lint configuration to replace the deprecated `exportloopref` linter with the `copyloopvar` linter. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- (go/v4) For Go-based operators, upgraded project scaffolding to Go 1.23, Kubernetes v0.32.1, and controller-runtime v0.20.4. +The default project scaffolding for Go-based operators has been updated to use: + - **Go 1.23** + - **Kubernetes modules v0.32.1** + - **controller-runtime v0.20.4** + - **Ginkgo v2.22.0** and **Gomega v1.36.1**. ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) +- **Breaking change**: (go/v4) For Go-based operators, upgraded controller-runtime from `v0.19.4` to `v0.20.0` and added support for Kubernetes 1.32. Removed deprecated `webhook.Validator` and `webhook.Defaulter` interfaces from the runtime. Webhooks should no longer reside under the `api/` directory—this has been the default behavior since Kubebuilder rlease [v4.3.0)(https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0). +A `--legacy=true` flag was added to support scaffolding webhooks in the old layout when needed. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/4492) · [Migration guide](https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0)). ([#6928](https://github.com/operator-framework/operator-sdk/pull/6928)) diff --git a/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml b/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml index 3842248f93b..f7368a430eb 100644 --- a/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml +++ b/testdata/go/v4/memcached-operator/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml b/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml index cea781d2ee7..f7e0ed492be 100644 --- a/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml +++ b/testdata/go/v4/memcached-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test diff --git a/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml b/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml index fdde08eb9ab..85895c9e93d 100644 --- a/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml +++ b/testdata/go/v4/memcached-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml b/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml index 3842248f93b..f7368a430eb 100644 --- a/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml +++ b/testdata/go/v4/monitoring/memcached-operator/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml index cea781d2ee7..f7e0ed492be 100644 --- a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml +++ b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test diff --git a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml index fdde08eb9ab..85895c9e93d 100644 --- a/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml +++ b/testdata/go/v4/monitoring/memcached-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/helm/memcached-operator/Dockerfile b/testdata/helm/memcached-operator/Dockerfile index 2e866118c28..1a8f8ca280c 100644 --- a/testdata/helm/memcached-operator/Dockerfile +++ b/testdata/helm/memcached-operator/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM quay.io/operator-framework/helm-operator:v1.39.2 +FROM quay.io/operator-framework/helm-operator:v1.40.0 ENV HOME=/opt/helm COPY watches.yaml ${HOME}/watches.yaml diff --git a/testdata/helm/memcached-operator/Makefile b/testdata/helm/memcached-operator/Makefile index 5388458550e..d4d84a651d0 100644 --- a/testdata/helm/memcached-operator/Makefile +++ b/testdata/helm/memcached-operator/Makefile @@ -150,7 +150,7 @@ ifeq (,$(shell which helm-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(HELM_OPERATOR)) ;\ - curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.39.2/helm-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.40.0/helm-operator_$(OS)_$(ARCH) ;\ chmod +x $(HELM_OPERATOR) ;\ } else diff --git a/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml b/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml index 3842248f93b..f7368a430eb 100644 --- a/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml +++ b/testdata/helm/memcached-operator/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml b/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml index cea781d2ee7..f7e0ed492be 100644 --- a/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml +++ b/testdata/helm/memcached-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test diff --git a/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml b/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml index fdde08eb9ab..85895c9e93d 100644 --- a/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml +++ b/testdata/helm/memcached-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.39.2 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/website/config.toml b/website/config.toml index 7273aa69820..f627d36a791 100644 --- a/website/config.toml +++ b/website/config.toml @@ -93,20 +93,26 @@ url_latest_version = "https://sdk.operatorframework.io" version = "master" url = "https://master.sdk.operatorframework.io" ##LATEST_RELEASE_KUBE_VERSION## - kube_version = "1.31.0" + kube_version = "1.32.0" ##LATEST_RELEASE_CLIENT_GO_VERSION## - client_go_version = "v0.31.7" + client_go_version = "v0.32.4" [[params.versions]] version = "Latest Release" url = "https://sdk.operatorframework.io" ##LATEST_RELEASE_KUBE_VERSION## - kube_version = "1.31.0" + kube_version = "1.32.0" ##LATEST_RELEASE_CLIENT_GO_VERSION## - client_go_version = "v0.31.7" + client_go_version = "v0.32.4" ##RELEASE_ADDME## +[[params.versions]] + version = "v1.40" + url = "https://v1-40-x.sdk.operatorframework.io" + kube_version = "1.32.0" + client_go_version = "v0.32.4" + [[params.versions]] version = "v1.39" url = "https://v1-39-x.sdk.operatorframework.io" diff --git a/website/content/en/docs/installation/_index.md b/website/content/en/docs/installation/_index.md index ff4de2f1424..d2b30a0d7ce 100644 --- a/website/content/en/docs/installation/_index.md +++ b/website/content/en/docs/installation/_index.md @@ -36,7 +36,7 @@ export OS=$(uname | awk '{print tolower($0)}') Download the binary for your platform: ```sh -export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/v1.39.2 +export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/v1.40.0 curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} ``` diff --git a/website/content/en/docs/upgrading-sdk-version/v1.40.0.md b/website/content/en/docs/upgrading-sdk-version/v1.40.0.md new file mode 100644 index 00000000000..2164854c65d --- /dev/null +++ b/website/content/en/docs/upgrading-sdk-version/v1.40.0.md @@ -0,0 +1,481 @@ +--- +title: v1.40.0 +weight: 998960000 +--- + +## Upgrade OPM version to v1.55.0 in the Makefile + +Update the OPM version in your Makefile to `v1.55.0`: + +```makefile +-const opmVersion = "v1.23.0" ++const opmVersion = "v1.55.0" +``` + +```makefile +- curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ ++ curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\ +``` + +_See [#6953](https://github.com/operator-framework/operator-sdk/pull/6953) for more details._ + +## Add a devcontainer for Go-based operators + +Create the devcontainer configuration in the root of the repository +under `.devcontainer`. +1. Create a new directory called `.devcontainer` in the root of your project. +2. Copy the contents of the [testdata/go/v4/memcached-operator/.devcontainer](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/.devcontainer) + available in the Operator SDK repository for the tag release `v1.40.0`. + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Add new GitHub actions for Go-based operators + +Add the actions configuration in the `.github/workflows` directory. +The new actions are: +- lint.yaml: Lint the code using golangci-lint +- test.yaml: Run the tests using go test +- test-e2e.yaml: Run the e2e tests using go test +You can obtain this configuration to be added +to your project by looking at the files available +in `testdata/go/v4/memcached-operator/.github/workflows` for this release. +[testdata/go/v4/memcached-operator/.github/workflows](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/.github/workflows) + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Update your project to properly support TLS certificates for webhooks and metrics server + +1. Update the `main.go` file in your project to support TLS certificates for webhooks and metrics server. + +- Add the new flag definitions to accept custom certificate file paths and names: + + ```go + func main() { + ... + var metricsCertPath, metricsCertName, metricsCertKey string + var webhookCertPath, webhookCertName, webhookCertKey string + ... + flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.") + flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.") + flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") + ``` + +- After this conditional check: + + ```go + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + ``` + + Insert the following code to configure certificate watchers for webhooks and metrics: + + ```go + var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher + webhookTLSOpts := tlsOpts + + if len(webhookCertPath) > 0 { + setupLog.Info("Initializing webhook certificate watcher using provided certificates", + "webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) + + var err error + webhookCertWatcher, err = certwatcher.New( + filepath.Join(webhookCertPath, webhookCertName), + filepath.Join(webhookCertPath, webhookCertKey), + ) + if err != nil { + setupLog.Error(err, "Failed to initialize webhook certificate watcher") + os.Exit(1) + } + + webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) { + config.GetCertificate = webhookCertWatcher.GetCertificate + }) + } + ``` + +- Update the webhook server TLS options: + + Replace: + ```go + TLSOpts: tlsOpts, + ``` + + With: + ```go + TLSOpts: webhookTLSOpts, + ``` + +- Before initializing the manager, configure the metrics certificate watcher if metrics certs are provided: + + ```go + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + var err error + metricsCertWatcher, err = certwatcher.New( + filepath.Join(metricsCertPath, metricsCertName), + filepath.Join(metricsCertPath, metricsCertKey), + ) + if err != nil { + setupLog.Error(err, "Failed to initialize metrics certificate watcher") + os.Exit(1) + } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) + } + + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ + ... + }) + ``` + +- Before calling `AddHealthzCheck`, ensure the certificate watchers are registered with the manager: + + ```go + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "Unable to add metrics certificate watcher to manager") + os.Exit(1) + } + } + + if webhookCertWatcher != nil { + setupLog.Info("Adding webhook certificate watcher to manager") + if err := mgr.Add(webhookCertWatcher); err != nil { + setupLog.Error(err, "Unable to add webhook certificate watcher to manager") + os.Exit(1) + } + } + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "Unable to set up health check") + os.Exit(1) + } + ``` + +Note that you can use as reference the `main.go` file available in the +Operator SDK repository for the tag release `v1.40.0` to see how the code should look like, +see: [testdata/go/v4/memcached-operator/cmd/main.go](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/cmd/main.go) + +2. Add the new certificates in the `config/certmanager` directory: + +- Add the new files: + - `certificate-metrics.yaml` with the content: [testdata/go/v4/memcached-operator/config/certmanager/certificate-metrics.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/certmanager/certificate-metrics.yaml) + - `issuer.yaml` with the content: [testdata/go/v4/memcached-operator/config/certmanager/issuer.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/certmanager/issuer.yaml) + +- Rename certificate.yaml to `certificate-webhook.yaml` + +- Update the `kustomization.yaml` file to include the new files and remove the old ones: + Replace: `- certificate.yaml` + + With: + ```yaml + resources: + - certificate-metrics.yaml + - certificate-webhook.yaml + - issuer.yaml + ``` + **NOTE**: You can see the complete file in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/certmanager/kustomization.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/certmanager/kustomization.yaml) + +3. Update the `config/default/kustomization.yaml` to allow work with the new options: + +Under `patches` ensure that you have: + +``` +patches: + ... + # Uncomment the patches line if you enable Metrics and CertManager + # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. + # This patch will protect the metrics with certManager self-signed certs. + - path: cert_metrics_manager_patch.yaml + target: + kind: Deployment + + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in + # crd/kustomization.yaml + - path: manager_webhook_patch.yaml + target: + kind: Deployment +... +``` + +Under the replacements section, replace: + +```yaml + - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +``` + +With: the code from Kubebuilder samples [testdata/project-v4/config/default/kustomization.yaml](https://github.com/kubernetes-sigs/kubebuilder/blob/v4.5.2/testdata/project-v4/config/default/kustomization.yaml#L60-L155) + +**NOTE:** You can see the complete file in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/default/kustomization.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/kustomization.yaml) + +4. Add the new file to allow patch the certs for the metrics: [testdata/go/v4/memcached-operator/config/default/cert_metrics_manager_patch.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/cert_metrics_manager_patch.yaml) +5. Replace the content of `config/default/manager_webhook_patch.yaml` with: [testdata/go/v4/memcached-operator/config/default/config/default/manager_webhook_patch.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/config/default/manager_webhook_patch.yaml) +6. Update the `config/manager/manager.yaml` to include the ports and volumes to allow the patch to work properly: + +``` +... + env: + - name: MEMCACHED_IMAGE + value: memcached:1.4.36-alpine ++ ports: [] +... +``` + +``` +... + requests: + cpu: 10m + memory: 64Mi ++ volumeMounts: [] ++ volumes: [] + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 +... +``` + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Update your project to properly support TLS for Prometheus scraping + +**Changes required under the hood `config/prometheus/`** + +- 1. Update the `config/prometheus/kutomization.yaml` add at the bottom: + +```yaml + # [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus + # to securely reference certificates created and managed by cert-manager. + # Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml + # to mount the "metrics-server-cert" secret in the Manager Deployment. + #patches: + # - path: monitor_tls_patch.yaml + # target: + # kind: ServiceMonitor +``` + +- 2. Add the file [config/prometheus/monitor_tls_patch.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/prometheus/monitor_tls_patch.yaml) to do the patch for the ServiceMonitor. + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Update your project to properly support CA injection for CRDs with conversion webhooks + +**Changes required under the hood `config/crd/`** + +- 1. Update the `config/crd/kustomization.yaml` for the file to include the new marker +`+kubebuilder:scaffold:crdkustomizewebhookpatch` for the tool be able to inject +the path for any new CRD that is created with the `--conversion` flag. +- 2. Ensure that under the patches section you have only patches for the CRDs which +are created with the `--conversion` flag. +- 3. Remove the files prefixed with `cainjection_.yaml`. You should have only +the files prefixed with `webhookpatch_.yaml` for the CRDs that have the +`--conversion` flag. ([example](https://github.com/kubernetes-sigs/kubebuilder/tree/v4.5.2/testdata/project-v4/config/crd/patches)) + +**Changes required under the hood `config/default/`** + +- 1. Update the `config/default/kustomization.yaml` for the file to include the new marker +`+kubebuilder:scaffold:crdkustomizecainjectionns` for the tool be able to inject for any new CRD +that is created with the `--conversion` flag as well to have commented the default replacement. +For further information see an example in Kubebuilder testdata samples [testdata/project-v4/config/default/kustomization.yaml](https://github.com/kubernetes-sigs/kubebuilder/blob/7c707052daa2e8bd51f47548c02710b1f1f7a77e/testdata/project-v4/config/default/kustomization.yaml#L157-L252). + +**NOTE:** You can see the complete file in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/default/kustomization.yaml](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/default/kustomization.yaml) + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Use `.Named("")` in SetupWithManager for controller registration + +To improve clarity and avoid naming collisions in multi-group Go-based operator projects, +each controller's `SetupWithManager` call now includes an explicit `.Named("")` declaration. + +Example change: +```go +func (r *DeploymentReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&appsv1.Deployment{}). + Named("apps-deployment"). + Complete(r) + } +``` + +This ensures controller names are unique and consistent across different APIs in multi-group scenarios, +which improves controller lifecycle management and logging. + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## ENVTEST version automation and improved test binary discovery + +The SDK now automates the setup of ENVTEST for Go-based operators by dynamically deriving +the required versions from `go.mod` rather than requiring manual updates in the Makefile. + +1. Update the `Makefile`: +- The variables `ENVTEST_VERSION` and `ENVTEST_K8S_VERSION` are now computed using `go list`: + ```makefile + ENVTEST_VERSION := $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}') + ENVTEST_K8S_VERSION := $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}') + ``` +- A new target `setup-envtest` was introduced to automatically install the binaries: + ```makefile + .PHONY: setup-envtest + setup-envtest: + @$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \ + echo "Error setting up envtest"; exit 1; } + ``` +- The `test` target now depends on `setup-envtest` to ensure binaries are ready before running tests. + +2. Update the suite_test.go files for controllers and webhooks: +In each `internal/controller/suite_test.go` and `internal/webhook//webhook/suite_test.go` file: +- A new helper function `getFirstFoundEnvTestBinaryDir()` was added: + ```go + func getFirstFoundEnvTestBinaryDir() string { + basePath := filepath.Join("..", "..", "..", "bin", "k8s") + entries, err := os.ReadDir(basePath) + if err != nil { + logf.Log.Error(err, "Failed to read directory", "path", basePath) + return "" + } + for _, entry := range entries { + if entry.IsDir() { + return filepath.Join(basePath, entry.Name()) + } + } + return "" + } + ``` +- `testEnv.BinaryAssetsDirectory` now uses this helper to locate installed ENVTEST binaries: + ```go + testEnv = &envtest.Environment{ + BinaryAssetsDirectory: getFirstFoundEnvTestBinaryDir(), + ... + } + ``` + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Replace `exportloopref` with `copyloopvar` in `.golangci.yaml` + +The `exportloopref` linter has been deprecated in recent versions of GolangCI-Lint. +It is now replaced with the more accurate and actively maintained `copyloopvar` linter. + +Update your `.golangci.yaml` file by replacing: +```yaml +- exportloopref +``` +With: +```yaml +- copyloopvar +``` + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Add `lint-config` target to Makefile to verify linter configuration + +The target uses the `config verify` subcommand provided by `golangci-lint`: + +```makefile +.PHONY: lint-config +lint-config: golangci-lint ## Verify golangci-lint linter configuration + $(GOLANGCI_LINT) config verify +``` + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Upgrade to Go 1.23 and Kubernetes v0.32.1 dependencies + +1. Update your `go.mod` to reflect the new versions: +```go +go 1.23 + +require ( + github.com/onsi/ginkgo/v2 v2.22.0 + github.com/onsi/gomega v1.36.1 + k8s.io/api v0.32.1 + k8s.io/apimachinery v0.32.1 + k8s.io/client-go v0.32.1 + k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 + sigs.k8s.io/controller-runtime v0.20.4 +) +``` + +2. Update the Go toolchain in your `Dockerfile` to match: +```dockerfile +FROM golang:1.23 AS builder +``` + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## You must change your webhooks implementation to be able to use controller-runtime v0.20.0+ + +If you have no webhooks, you can skip this migration. Otherwise, ensure that you check the described +steps to update your project in the release notes of Kubebuilder `v4.3.0` release: https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0 + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## Add `app.kubernetes.io/name` label to your manifests + +The Operator SDK now adds the `app.kubernetes.io/name` label to scaffolded Kubernetes +manifests such as Deployments, Services, and RBAC resources. This label aligns with +Kubernetes labeling conventions and improves compatibility with observability and automation tools. + +If upgrading from a previous version, you may want to add the following label manually +to your existing manifests: + +```yaml +metadata: + labels: + app.kubernetes.io/name: +``` + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## With you wish manually add those roles to your project + +See the permissions and RBAC generate as an example to know how properly +create those files for each CRD you have in your project by looking at the +sample in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/rbac](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/rbac) + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._ + +## With you wish manually add those roles to your project + +See the permissions and RBAC generate as an example to know how properly +create those files for each CRD you have in your project by looking at the +sample in the repository for the tag release `v1.40.0`: [testdata/go/v4/memcached-operator/config/rbac](https://github.com/operator-framework/operator-sdk/tree/v1.40.0/testdata/go/v4/memcached-operator/config/rbac) + +_See [#6928](https://github.com/operator-framework/operator-sdk/pull/6928) for more details._