manually run make upgrade-klone

Signed-off-by: Ashley Davis <[email protected]>

Author: SgtCoDFish

.github/workflows/govulncheck.yaml

@@ -28,7 +28,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.github/workflows/make-self-upgrade.yaml

@@ -42,7 +42,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

klone.yaml

@@ -10,50 +10,50 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
+      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
       repo_path: modules/tools

make/_shared/generate-verify/util/verify.sh

@@ -44,7 +44,17 @@ cleanup() {
 }
 trap "cleanup" EXIT SIGINT
 
-rsync -aEq "${projectdir}/." "${tmp}" --exclude "_bin/"
+# Why not just "cp" to the tmp dir?
+# A dumb "cp" will fail sometimes since _bin can get changed while it's being copied if targets are run in parallel,
+# and cp doesn't have some universal "exclude" option to ignore "_bin"
+#
+# We previously used "rsync" here, but:
+# 1. That's another tool we need to depend on
+# 2. rsync on macOS 15.4 and newer is actually openrsync, which has different permissions and throws errors when copying git objects
+#
+# So, we use find to list all files except _bin, and then copy each in turn
+find . -maxdepth 1 -not \( -path "./_bin" -prune \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/"
+
 pushd "${tmp}" >/dev/null
 
 "$@"

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -28,7 +28,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

make/_shared/helm/helm.mk

@@ -128,7 +128,28 @@ $(bin_dir)/scratch/kyverno/pod-security-policy.yaml: | $(NEEDS_KUSTOMIZE) $(bin_
 # Extra arguments for kyverno apply.
 kyverno_apply_extra_args :=
 # Allows known policy violations to be skipped by supplying Kyverno policy
-# exceptions.
+# exceptions as a Kyverno YAML resource, e.g.:
+# apiVersion: kyverno.io/v2
+# kind: PolicyException
+# metadata:
+#   name: pod-security-exceptions
+# spec:
+#   exceptions:
+#   - policyName: disallow-privilege-escalation
+#     ruleNames:
+#     - autogen-privilege-escalation
+#   - policyName: restrict-seccomp-strict
+#     ruleNames:
+#     - autogen-check-seccomp-strict
+#   match:
+#     any:
+#     - resources:
+#         kinds:
+#         - Deployment
+#         namespaces:
+#         - mynamespace
+#         names:
+#         - my-deployment
 ifneq ("$(wildcard make/verify-pod-security-standards-exceptions.yaml)","")
 		kyverno_apply_extra_args += --exceptions make/verify-pod-security-standards-exceptions.yaml
 endif

make/_shared/kind/00_kind_image_versions.mk

@@ -15,16 +15,16 @@
 # This file is auto-generated by the learn_kind_images.sh script in the makefile-modules repo.
 # Do not edit manually.
 
-kind_image_kindversion := v0.26.0
+kind_image_kindversion := v0.27.0
 
-kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.12@sha256:c1b696872c6d4d41889c1c7ca460d6c6349665061e6dd2a9cc5abda7dd8e21bc
-kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.12@sha256:a29e3189829c4784b31507c793b5d186914a6ed81d2296c39d32543988911f36
-kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.8@sha256:da9368e0cfa74ca1a7e2c6d6c7abf890e627a94d9c8300dd9d951f63947a456c
-kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.8@sha256:27b247e13bac7271e013ea4118843f8072e5a4f1fa8ce2c5c47018e6b2d45cce
-kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.4@sha256:29370cbe44fd9798ac1e47e7ad04e53c375c0c683a25cc0cc7db331ad07c9952
-kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.4@sha256:496ab674cddaa72e97f2aa70729df5b403f46ee5834fb9a44773284998fea6d5
-kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.0@sha256:dd45e7e76478f76d2881cf031e64512f51be63dcb61420307982a24913badf8f
-kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.0@sha256:eff24f9d99bc56271a456484d87cd6e6fc0beec7d4418958d589804703c00588
+kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.14@sha256:e7858e6394f5e834802ce573ab340a0584d8314f909cb0717e14b57f2dd97257
+kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.14@sha256:6eed9bfd0313cc3574c4613adeb7f53832cb8d9c0ca9ffa8b8221716fd96dc18
+kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.10@sha256:e382f9b891474f1c4b0b5cfcf27f8e471f1bdc1f285afe38adeec1bd5b856cfe
+kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.10@sha256:ca8e16c04ee9ebaeb9a4dd85abbe188f3893fb39bd658d6d3e639d16cf46e3da
+kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.6@sha256:37d52dc19f59394f9347b00547c3ed2d73eb301a60294b9b05fbe56fb6196517
+kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.6@sha256:4e6223faa19178922d30e7b62546c5464fdf9bc66a3df64073424a51ab44f2ab
+kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.2@sha256:a37b679ad8c1cfa7c64aca1734cc4299dc833258d6c131ed0204c8cd2bd56ff7
+kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.2@sha256:4d0e1b60f1da0d1349996a9778f8bace905189af5e05e04618eae0a155dd9f9c
 
 kind_image_latest_amd64 := $(kind_image_kube_1.32_amd64)
 kind_image_latest_arm64 := $(kind_image_kube_1.32_arm64)

make/_shared/kind/kind-image-preload.mk

@@ -32,18 +32,33 @@ images_files := $(foreach image,$(images),$(subst :,+,$(image)))
 images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH)
 images_tars := $(images_files:%=$(images_tar_dir)/%.tar)
 
-# Download the images as tarballs. We must use the tag because the digest
-# will change after we docker import the image. The tag is the only way to
-# reference the image after it has been imported. Before downloading the
-# image, we check that the provided digest matches the digest of the image
-# that we are about to pull.
-$(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_CRANE)
-	@$(eval image=$(subst +,:,$*))
-	@$(eval image_without_digest=$(shell cut -d@ -f1 <<<"$(image)"))
-	@$(eval digest=$(subst $(image_without_digest)@,,$(image)))
-	@mkdir -p $(dir $@)
-	diff <(echo "$(digest)  -" | cut -d: -f2) <($(CRANE) manifest --platform=linux/$(HOST_ARCH) $(image_without_digest) | sha256sum)
-	$(CRANE) pull $(image_without_digest) $@ --platform=linux/$(HOST_ARCH)
+# Download the images as tarballs. After downloading the image using
+# its digest, we untar the image and modify the .[0].RepoTags[0] value in
+# the manifest.json file to have the correct tag (instead of "i-was-a-digest"
+# which is set when the image is pulled using its digest). This tag is used
+# to reference the image after it has been imported using docker or kind. Otherwise,
+# the image would be imported with the tag "i-was-a-digest" which is not very useful.
+# We would have to use digests to reference the image everywhere which might
+# not always be possible and does not match the default behavior of eg. our helm charts.
+# Untarring and modifying manifest.json is a hack and we hope that crane adds an option
+# in the future that allows setting the tag on images that are pulled by digest.
+# NOTE: the tag is fully determined based on the input, we fully allow the remote
+# tag to point to a different digest. This prevents CI from breaking due to upstream
+# changes. However, it also means that we can incorrectly combine digests with tags,
+# hence caution is advised.
+$(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_CRANE) $(NEEDS_GOJQ)
+	@$(eval full_image=$(subst +,:,$*))
+	@$(eval bare_image=$(word 1,$(subst :, ,$(full_image))))
+	@$(eval digest=$(word 2,$(subst @, ,$(full_image))))
+	@$(eval tag=$(word 2,$(subst :, ,$(word 1,$(subst @, ,$(full_image))))))
+	@mkdir -p $@.tmp.unpacked
+	$(CRANE) pull "$(bare_image)@$(digest)" $@.tmp --platform=linux/$(HOST_ARCH)
+	@tar xf $@.tmp -C $@.tmp.unpacked
+	@rm -rf $@.tmp
+	@$(GOJQ) '.[0].RepoTags[0] |= rtrimstr("i-was-a-digest") + "$(tag)"' $@.tmp.unpacked/manifest.json > $@.tmp.unpacked/manifest.json.new
+	@mv $@.tmp.unpacked/manifest.json.new $@.tmp.unpacked/manifest.json
+	@find $@.tmp.unpacked \( -type f -o -type d \) -printf "%P\n" | tar -cf $@ --no-recursion -C $@.tmp.unpacked -T -
+	@rm -rf $@.tmp.unpacked
 
 images_tar_envs := $(images_files:%=env-%)
 

make/_shared/oci-build/00_mod.mk

@@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
-base_image_static := quay.io/jetstack/base-static@sha256:9202d031a2bf364519a07629e51daca08233e3096936563ea5f35f0e19003853
+base_image_static := quay.io/jetstack/base-static@sha256:713aaf3b2c45b103d37778943f2c384120eabb97b9097eea4b5cbbd32880b86d
 
 # Use custom apko-built image as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
-base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:2e159b417e03b3d454c202f8281922784ef7153873dc5a62bdb5e456de9dc6db
+base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:3499c6d3073503bd13e015c27b039e58a790e5623906af1cf42ebbf85a8ff7f6
 
 # Utility functions
 fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))
@@ -43,8 +43,7 @@ go_$1_goexperiment ?= $(GOEXPERIMENT)
 go_$1_flags ?= -tags=
 oci_$1_additional_layers ?= 
 oci_$1_linux_capabilities ?= 
-oci_$1_image_annotation ?= 
-oci_$1_image_label ?= 
+oci_$1_build_args ?= 
 endef
 
 $(foreach build_name,$(build_names),$(eval $(call default_per_build_variables,$(build_name))))

make/_shared/oci-build/01_mod.mk

@@ -63,8 +63,7 @@ $(oci_build_targets): oci-build-%: ko-config-% | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS
 	LDFLAGS="$(go_$*_ldflags)" \
 	$(KO) build $(go_$*_mod_dir)/$(go_$*_main_dir) \
 		--platform=$(oci_platforms) \
-		--image-annotation=$(oci_$*_image_annotation) \
-		--image-label=$(oci_$*_image_label) \
+		$(oci_$*_build_args) \
 		--oci-layout-path=$(oci_layout_path_$*) \
 		--sbom-dir=$(CURDIR)/$(oci_layout_path_$*).sbom \
 		--sbom=spdx \