chore(discovery): replace Endpoints with EndpointSlices

README.md

@@ -133,7 +133,7 @@ interacting with the deployed Cryostat instance(s).
 When using the web-client, users can login with their username and password associated with their OpenShift account. User credentials will be remembered for the duration of the session.
 
 If the current user account does not have sufficient permissions to list
-routes, list endpoints, or perform other actions that Cryostat requires,
+routes, list endpointslices, or perform other actions that Cryostat requires,
 then the user may also try to authenticate using the Operator's service
 account. This, of course, assumes that the user has permission to view this
 service account's secrets.

bundle/manifests/cryostat-operator-cryostat-namespaced_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -7,9 +7,9 @@ metadata:
   name: cryostat-operator-cryostat-namespaced
 rules:
 - apiGroups:
-  - ""
+  - discovery.k8s.io
   resources:
-  - endpoints
+  - endpointslices
   verbs:
   - get
   - list

bundle/manifests/cryostat-operator-oauth-client_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -30,9 +30,16 @@ rules:
   - ""
   resources:
   - replicationcontrollers
-  - endpoints
   verbs:
   - get
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -24,7 +24,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.1.0-dev
-    createdAt: "2025-05-14T20:50:18Z"
+    createdAt: "2025-06-12T14:26:29Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
@@ -949,7 +949,6 @@ spec:
                 - ""
               resources:
                 - configmaps
-                - endpoints
                 - events
                 - persistentvolumeclaims
                 - pods
@@ -1049,6 +1048,14 @@ spec:
                 - get
                 - list
                 - update
+            - apiGroups:
+                - discovery.k8s.io
+              resources:
+                - endpointslices
+              verbs:
+                - get
+                - list
+                - watch
             - apiGroups:
                 - networking.k8s.io
               resources:

config/rbac/cryostat_namespaced_role.yaml

@@ -12,9 +12,9 @@ rules:
       - list
       - watch
     apiGroups:
-      - ''
+      - discovery.k8s.io
     resources:
-      - endpoints
+      - endpointslices
   - verbs:
       - get
     apiGroups:

config/rbac/oauth_client.yaml

@@ -29,9 +29,16 @@ rules:
   - ""
   resources:
   - replicationcontrollers
-  - endpoints
   verbs:
   - get
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:

config/rbac/role.yaml

@@ -8,7 +8,6 @@ rules:
   - ""
   resources:
   - configmaps
-  - endpoints
   - events
   - persistentvolumeclaims
   - pods
@@ -108,6 +107,14 @@ rules:
   - get
   - list
   - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - networking.k8s.io
   resources:

internal/controllers/cryostat_controller.go

@@ -49,7 +49,8 @@ func NewCryostatReconciler(config *ReconcilerConfig) (*CryostatReconciler, error
 // +kubebuilder:rbac:groups=operator.cryostat.io,resources=cryostats,verbs=*
 // +kubebuilder:rbac:groups=operator.cryostat.io,resources=cryostats/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=operator.cryostat.io,resources=cryostats/finalizers,verbs=update
-// +kubebuilder:rbac:groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=*
+// +kubebuilder:rbac:groups="",resources=pods;services;services/finalizers;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=*
+// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=replicationcontrollers,verbs=get
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;update;watch;delete

internal/images/custom-scorecard-tests/rbac/scorecard_role.yaml

@@ -80,11 +80,18 @@ rules:
   - patch
   - delete
   - get
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
   - replicationcontrollers
-  - endpoints
   verbs:
   - get
 - apiGroups:

internal/test/resources.go

@@ -4113,8 +4113,8 @@ func (r *TestResources) NewRole() *rbacv1.Role {
 	rules := []rbacv1.PolicyRule{
 		{
 			Verbs:     []string{"get", "list", "watch"},
-			APIGroups: []string{""},
-			Resources: []string{"endpoints"},
+			APIGroups: []string{"discovery.k8s.io"},
+			Resources: []string{"endpointslices"},
 		},
 		{
 			Verbs:     []string{"get"},