Upgrade to operator-sdk 1.41.1

Rescaffold the barbican-operator to operator-sdk 1.41.1, which includes:
 - Reorganize project structure (pkg/ -> internal/)
 - Move webhook implementations to internal/webhook/v1beta1/
 - Add new cmd/main.go entrypoint with updated controller initialization
 - Update RBAC, certmanager, and prometheus configurations
 - Enhance network policies for metrics and webhook traffic
 - Add missing APIs to PROJECT
 - Remove auto-generated test suite scaffolding
 - Update build workflow and Dockerfile to version 1.41.1

This upgrade modernizes the operator structure and aligns with the latest
operator-sdk best practices.

Jira: OSPRH-21925

Depends-On: openstack-k8s-operators/openstack-operator#1683

Author: dprince

.github/workflows/build-barbican-operator.yaml

@@ -16,7 +16,7 @@ jobs:
     with:
       operator_name: barbican
       go_version: 1.24.x
-      operator_sdk_version: 1.31.0
+      operator_sdk_version: 1.41.1
     secrets:
       IMAGENAMESPACE: ${{ secrets.IMAGENAMESPACE }}
       QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}

Dockerfile

@@ -26,7 +26,7 @@ RUN mkdir -p ${DEST_ROOT}/usr/local/bin/
 RUN if [ ! -f $CACHITO_ENV_FILE ]; then go mod download ; fi
 
 # Build manager
-RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go
+RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager cmd/main.go
 
 RUN cp -r templates ${DEST_ROOT}/templates
 

Makefile

@@ -48,7 +48,7 @@ endif
 
 # Set the Operator SDK version to use. By default, what is installed on the system is used.
 # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit.
-OPERATOR_SDK_VERSION ?= v1.31.0
+OPERATOR_SDK_VERSION ?= v1.41.1
 
 # Image URL to use all building/pushing image targets
 DEFAULT_IMG ?= quay.io/openstack-k8s-operators/barbican-operator:latest
@@ -125,13 +125,13 @@ PROC_CMD = --procs ${PROCS}
 test: manifests generate fmt vet envtest ginkgo ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \
 	OPERATOR_TEMPLATES="$(shell pwd)/templates" \
-	$(GINKGO) --trace --cover --coverpkg=../../pkg/barbican,../../controllers,../../api/v1beta1 --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) ./tests/...
+	$(GINKGO) --trace --cover --coverpkg=../../internal/barbican,../../internal/controller,../../api/v1beta1 --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) ./test/...
 
 ##@ Build
 
 .PHONY: build
 build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager main.go
+	go build -o bin/manager cmd/main.go
 
 .PHONY: run
 run: export METRICS_PORT?=8080
@@ -141,7 +141,7 @@ run: export ENABLE_WEBHOOKS?=false
 run: export OPERATOR_TEMPLATES=./templates/
 run: manifests generate fmt vet ## Run a controller from your host.
 	/bin/bash hack/clean_local_webhook.sh
-	go run ./main.go -metrics-bind-address ":$(METRICS_PORT)" -health-probe-bind-address ":$(HEALTH_PORT)" -pprof-bind-address ":$(PPROF_PORT)"
+	go run ./cmd/main.go -metrics-bind-address ":$(METRICS_PORT)" -health-probe-bind-address ":$(HEALTH_PORT)" -pprof-bind-address ":$(PPROF_PORT)"
 
 # If you wish built the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64 ). However, you must enable docker buildKit for it.
@@ -208,7 +208,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GINKGO ?= $(LOCALBIN)/ginkgo
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v3.8.7
+KUSTOMIZE_VERSION ?= v5.6.0
 CONTROLLER_TOOLS_VERSION ?= v0.18.0
 GOTOOLCHAIN_VERSION ?= go1.24.0
 

PROJECT

@@ -1,6 +1,10 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: openstack.org
 layout:
-- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
@@ -38,4 +42,13 @@ resources:
   kind: BarbicanWorker
   path: github.com/openstack-k8s-operators/barbican-operator/api/v1beta1
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: openstack.org
+  group: barbican
+  kind: BarbicanKeystoneListener
+  path: github.com/openstack-k8s-operators/barbican-operator/api/v1beta1
+  version: v1beta1
 version: "3"

api/bases/barbican.openstack.org_barbicanapis.yaml

@@ -98,7 +98,7 @@ spec:
                 type: boolean
               enabledSecretStores:
                 items:
-                  description: This SecretStore type is used by the EnabledSecretStores
+                  description: SecretStore type is used by the EnabledSecretStores
                     variable inside the specification.
                   enum:
                   - simple_crypto
@@ -110,8 +110,8 @@ spec:
                 x-kubernetes-list-type: set
               globalDefaultSecretStore:
                 default: simple_crypto
-                description: This SecretStore type is used by the EnabledSecretStores
-                  variable inside the specification.
+                description: SecretStore type is used by the EnabledSecretStores variable
+                  inside the specification.
                 enum:
                 - simple_crypto
                 - pkcs11

api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml

@@ -90,7 +90,7 @@ spec:
                 type: object
               enabledSecretStores:
                 items:
-                  description: This SecretStore type is used by the EnabledSecretStores
+                  description: SecretStore type is used by the EnabledSecretStores
                     variable inside the specification.
                   enum:
                   - simple_crypto
@@ -102,8 +102,8 @@ spec:
                 x-kubernetes-list-type: set
               globalDefaultSecretStore:
                 default: simple_crypto
-                description: This SecretStore type is used by the EnabledSecretStores
-                  variable inside the specification.
+                description: SecretStore type is used by the EnabledSecretStores variable
+                  inside the specification.
                 enum:
                 - simple_crypto
                 - pkcs11

api/bases/barbican.openstack.org_barbicans.yaml

@@ -670,7 +670,7 @@ spec:
                 type: object
               enabledSecretStores:
                 items:
-                  description: This SecretStore type is used by the EnabledSecretStores
+                  description: SecretStore type is used by the EnabledSecretStores
                     variable inside the specification.
                   enum:
                   - simple_crypto
@@ -682,8 +682,8 @@ spec:
                 x-kubernetes-list-type: set
               globalDefaultSecretStore:
                 default: simple_crypto
-                description: This SecretStore type is used by the EnabledSecretStores
-                  variable inside the specification.
+                description: SecretStore type is used by the EnabledSecretStores variable
+                  inside the specification.
                 enum:
                 - simple_crypto
                 - pkcs11

api/bases/barbican.openstack.org_barbicanworkers.yaml

@@ -88,7 +88,7 @@ spec:
                 type: object
               enabledSecretStores:
                 items:
-                  description: This SecretStore type is used by the EnabledSecretStores
+                  description: SecretStore type is used by the EnabledSecretStores
                     variable inside the specification.
                   enum:
                   - simple_crypto
@@ -100,8 +100,8 @@ spec:
                 x-kubernetes-list-type: set
               globalDefaultSecretStore:
                 default: simple_crypto
-                description: This SecretStore type is used by the EnabledSecretStores
-                  variable inside the specification.
+                description: SecretStore type is used by the EnabledSecretStores variable
+                  inside the specification.
                 enum:
                 - simple_crypto
                 - pkcs11

api/v1beta1/barbican_types.go

@@ -42,7 +42,7 @@ const (
 	// BarbicanKeystoneListenerContainerImage is the fall-back container image for BarbicanAPI
 	BarbicanKeystoneListenerContainerImage = "quay.io/podified-antelope-centos9/openstack-barbican-keystone-listener:current-podified"
 
-	// Barbican API timeout
+	// APITimeout is the default Barbican API timeout
 	APITimeout = 90
 )
 

api/v1beta1/barbican_webhook.go

@@ -131,41 +131,43 @@ func (r *Barbican) ValidateCreate() (admission.Warnings, error) {
 
 // ValidateCreate - Exported function wrapping non-exported validate functions,
 // this function can be called externally to validate an barbican spec.
-func (r *BarbicanSpec) ValidateCreate(basePath *field.Path, namespace string) field.ErrorList {
+func (spec *BarbicanSpec) ValidateCreate(basePath *field.Path, namespace string) field.ErrorList {
 	var allErrs field.ErrorList
 
 	// validate the service override key is valid
 	allErrs = append(allErrs, service.ValidateRoutedOverrides(
 		basePath.Child("barbicanAPI").Child("override").Child("service"),
-		r.BarbicanAPI.Override.Service)...)
+		spec.BarbicanAPI.Override.Service)...)
 
 	// pkcs11 verifications
-	r.ValidatePKCS11(basePath, &allErrs)
+	spec.ValidatePKCS11(basePath, &allErrs)
 
-	allErrs = append(allErrs, r.ValidateBarbicanTopology(basePath, namespace)...)
+	allErrs = append(allErrs, spec.ValidateBarbicanTopology(basePath, namespace)...)
 
 	return allErrs
 }
 
-func (r *BarbicanSpec) ValidatePKCS11(basePath *field.Path, allErrs *field.ErrorList) {
-	if slices.Contains(r.EnabledSecretStores, SecretStorePKCS11) {
-                if r.PKCS11 == nil {
+// ValidatePKCS11 validates that PKCS11 configuration is provided when PKCS11 is an enabled secret store
+func (spec *BarbicanSpec) ValidatePKCS11(basePath *field.Path, allErrs *field.ErrorList) {
+	if slices.Contains(spec.EnabledSecretStores, SecretStorePKCS11) {
+                if spec.PKCS11 == nil {
                         *allErrs = append(*allErrs, field.Required(basePath.Child("PKCS11"),
                                 "PKCS11 specification is missing, PKCS11 is required when pkcs11 is an enabled SecretStore"),
                         )
                 }
         }
 }
 
-func (r *BarbicanSpecCore) ValidateCreate(basePath *field.Path, namespace string) field.ErrorList {
+// ValidateCreate validates BarbicanSpecCore on creation
+func (spec *BarbicanSpecCore) ValidateCreate(basePath *field.Path, namespace string) field.ErrorList {
 	var allErrs field.ErrorList
 
 	// validate the service override key is valid
 	allErrs = append(allErrs, service.ValidateRoutedOverrides(
 		basePath.Child("barbicanAPI").Child("override").Child("service"),
-		r.BarbicanAPI.Override.Service)...)
+		spec.BarbicanAPI.Override.Service)...)
 
-	allErrs = append(allErrs, r.ValidateBarbicanTopology(basePath, namespace)...)
+	allErrs = append(allErrs, spec.ValidateBarbicanTopology(basePath, namespace)...)
 	return allErrs
 }
 
@@ -196,30 +198,31 @@ func (r *Barbican) ValidateUpdate(old runtime.Object) (admission.Warnings, error
 
 // ValidateUpdate - Exported function wrapping non-exported validate functions,
 // this function can be called externally to validate an barbican spec.
-func (r *BarbicanSpec) ValidateUpdate(old BarbicanSpec, basePath *field.Path, namespace string) field.ErrorList {
+func (spec *BarbicanSpec) ValidateUpdate(old BarbicanSpec, basePath *field.Path, namespace string) field.ErrorList {
 	var allErrs field.ErrorList
 
 	// validate the service override key is valid
 	allErrs = append(allErrs, service.ValidateRoutedOverrides(
 		basePath.Child("barbicanAPI").Child("override").Child("service"),
-		r.BarbicanAPI.Override.Service)...)
+		spec.BarbicanAPI.Override.Service)...)
 
 	// pkcs11 verifications
-	r.ValidatePKCS11(basePath, &allErrs)
+	spec.ValidatePKCS11(basePath, &allErrs)
 
-	allErrs = append(allErrs, r.ValidateBarbicanTopology(basePath, namespace)...)
+	allErrs = append(allErrs, spec.ValidateBarbicanTopology(basePath, namespace)...)
 	return allErrs
 }
 
-func (r *BarbicanSpecCore) ValidateUpdate(old BarbicanSpecCore, basePath *field.Path, namespace string) field.ErrorList {
+// ValidateUpdate validates BarbicanSpecCore on update
+func (spec *BarbicanSpecCore) ValidateUpdate(old BarbicanSpecCore, basePath *field.Path, namespace string) field.ErrorList {
 	var allErrs field.ErrorList
 
 	// validate the service override key is valid
 	allErrs = append(allErrs, service.ValidateRoutedOverrides(
 		basePath.Child("barbicanAPI").Child("override").Child("service"),
-		r.BarbicanAPI.Override.Service)...)
+		spec.BarbicanAPI.Override.Service)...)
 
-	allErrs = append(allErrs, r.ValidateBarbicanTopology(basePath, namespace)...)
+	allErrs = append(allErrs, spec.ValidateBarbicanTopology(basePath, namespace)...)
 	return allErrs
 }
 
@@ -231,6 +234,7 @@ func (r *Barbican) ValidateDelete() (admission.Warnings, error) {
 	return nil, nil
 }
 
+// GetDefaultRouteAnnotations returns the default route annotations for Barbican API
 func (spec *BarbicanSpecCore) GetDefaultRouteAnnotations() (annotations map[string]string) {
 	return map[string]string{
 		"haproxy.router.openshift.io/timeout": fmt.Sprintf("%ds", barbicanDefaults.BarbicanAPITimeout),