run 'make upgrade-klone' and 'make generate'

Signed-off-by: Tim Ramlot <[email protected]>

Author: inteon

.github/workflows/govulncheck.yaml

@@ -17,6 +17,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'cert-manager'
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need

klone.yaml

@@ -10,50 +10,50 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63de69c93b4abd5f087b5ec9e845ac901334f3f4
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/tools

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -17,6 +17,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'cert-manager'
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need

make/_shared/helm/helm.mk

@@ -178,3 +178,16 @@ verify-helm-lint: $(helm_chart_archive) | $(NEEDS_HELM)
 	$(HELM) lint $(helm_chart_archive)
 
 shared_verify_targets_dirty += verify-helm-lint
+
+.PHONY: verify-helm-kubeconform
+## Verify that the Helm chart passes a strict check using kubeconform
+## @category [shared] Generate/ Verify
+verify-helm-kubeconform: $(helm_chart_archive) | $(NEEDS_KUBECONFORM)
+	@$(HELM) template $(helm_chart_archive) $(INSTALL_OPTIONS) \
+	| $(KUBECONFORM) \
+		-schema-location default \
+		-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}/{{.ResourceKind}}.json" \
+		-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" \
+		-strict
+
+shared_verify_targets_dirty += verify-helm-kubeconform

make/_shared/kind/00_kind_image_versions.mk

@@ -25,6 +25,8 @@ kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.6@sha256:37d52dc19f59
 kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.6@sha256:4e6223faa19178922d30e7b62546c5464fdf9bc66a3df64073424a51ab44f2ab
 kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.2@sha256:a37b679ad8c1cfa7c64aca1734cc4299dc833258d6c131ed0204c8cd2bd56ff7
 kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.2@sha256:4d0e1b60f1da0d1349996a9778f8bace905189af5e05e04618eae0a155dd9f9c
+kind_image_kube_1.33_amd64 := docker.io/kindest/node:v1.33.0@sha256:c9ec7bf998c310c5a6c903d66c2e595fb3e2eb53fb626cd53d07a3a5499de412
+kind_image_kube_1.33_arm64 := docker.io/kindest/node:v1.33.0@sha256:96ae3b980f87769e0117c2a89ec74fc660b84eedb573432abd2a682af3eccc02
 
-kind_image_latest_amd64 := $(kind_image_kube_1.32_amd64)
-kind_image_latest_arm64 := $(kind_image_kube_1.32_arm64)
+kind_image_latest_amd64 := $(kind_image_kube_1.33_amd64)
+kind_image_latest_arm64 := $(kind_image_kube_1.33_arm64)

make/_shared/kind/00_mod.mk

@@ -17,5 +17,17 @@ include $(dir $(lastword $(MAKEFILE_LIST)))/00_kind_image_versions.mk
 images_amd64 ?=
 images_arm64 ?=
 
+# K8S_VERSION can be used to specify a specific
+# kubernetes version to use with Kind.
+K8S_VERSION ?=
+ifeq ($(K8S_VERSION),)
 images_amd64 += $(kind_image_latest_amd64)
 images_arm64 += $(kind_image_latest_arm64)
+else
+fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))
+$(call fatal_if_undefined,kind_image_kube_$(K8S_VERSION)_amd64)
+$(call fatal_if_undefined,kind_image_kube_$(K8S_VERSION)_arm64)
+
+images_amd64 += $(kind_image_kube_$(K8S_VERSION)_amd64)
+images_arm64 += $(kind_image_kube_$(K8S_VERSION)_arm64)
+endif

make/_shared/kind/kind-image-preload.mk

@@ -27,21 +27,18 @@ endif
 ##########################################
 
 images := $(images_$(HOST_ARCH))
-images_files := $(foreach image,$(images),$(subst :,+,$(image)))
 
 images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH)
-images_tars := $(images_files:%=$(images_tar_dir)/%.tar)
+images_tars := $(foreach image,$(images),$(images_tar_dir)/$(subst :,+,$(image)).tar)
 
 # Download the images as tarballs. After downloading the image using
-# its digest, we untar the image and modify the .[0].RepoTags[0] value in
+# its digest, we use image-tool to modify the .[0].RepoTags[0] value in
 # the manifest.json file to have the correct tag (instead of "i-was-a-digest"
 # which is set when the image is pulled using its digest). This tag is used
 # to reference the image after it has been imported using docker or kind. Otherwise,
 # the image would be imported with the tag "i-was-a-digest" which is not very useful.
 # We would have to use digests to reference the image everywhere which might
 # not always be possible and does not match the default behavior of eg. our helm charts.
-# Untarring and modifying manifest.json is a hack and we hope that crane adds an option
-# in the future that allows setting the tag on images that are pulled by digest.
 # NOTE: the tag is fully determined based on the input, we fully allow the remote
 # tag to point to a different digest. This prevents CI from breaking due to upstream
 # changes. However, it also means that we can incorrectly combine digests with tags,
@@ -55,17 +52,18 @@ $(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_IMAGE-TOOL) $(NEEDS_CRANE) $(
 	$(CRANE) pull "$(bare_image)@$(digest)" $@ --platform=linux/$(HOST_ARCH)
 	$(IMAGE-TOOL) tag-docker-tar $@ "$(bare_image):$(tag)"
 
-images_tar_envs := $(images_files:%=env-%)
+# $1 = image
+# $2 = image:tag@sha256:digest
+define image_variables
+$1.TAR      := $(images_tar_dir)/$(subst :,+,$2).tar
+$1.REPO     := $1
+$1.TAG      := $(word 2,$(subst :, ,$(word 1,$(subst @, ,$2))))
+$1.FULL     := $(word 1,$(subst @, ,$2))
+endef
 
-.PHONY: $(images_tar_envs)
-$(images_tar_envs): env-%: $(images_tar_dir)/%.tar | $(NEEDS_GOJQ)
-	@$(eval image_without_tag=$(shell cut -d+ -f1 <<<"$*"))
-	@$(eval $(image_without_tag).TAR="$(images_tar_dir)/$*.tar")
-	@$(eval $(image_without_tag).REPO=$(shell tar xfO "$(images_tar_dir)/$*.tar" manifest.json | $(GOJQ) '.[0].RepoTags[0]' -r | cut -d: -f1))
-	@$(eval $(image_without_tag).TAG=$(shell tar xfO "$(images_tar_dir)/$*.tar" manifest.json | $(GOJQ) '.[0].RepoTags[0]' -r | cut -d: -f2))
-	@$(eval $(image_without_tag).FULL=$($(image_without_tag).REPO):$($(image_without_tag).TAG))
+$(foreach image,$(images),$(eval $(call image_variables,$(word 1,$(subst :, ,$(image))),$(image))))
 
 .PHONY: images-preload
 ## Preload images.
 ## @category [shared] Kind cluster
-images-preload: | $(images_tar_envs)
+images-preload: | $(images_tars)

make/_shared/oci-build/00_mod.mk

@@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
-base_image_static := quay.io/jetstack/base-static@sha256:713aaf3b2c45b103d37778943f2c384120eabb97b9097eea4b5cbbd32880b86d
+base_image_static := quay.io/jetstack/base-static@sha256:16a5a64b918592f5c38fa73721a87f8585a3a501d261087e7b953f8b59279cd0
 
 # Use custom apko-built image as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
-base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:3499c6d3073503bd13e015c27b039e58a790e5623906af1cf42ebbf85a8ff7f6
+base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:fb97fc098aabdfb5b9b01475d3531b688a9c2219f4bbc143816d3e47a267be6d
 
 # Utility functions
 fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))
@@ -128,7 +128,7 @@ ko_config_targets := $(build_names:%=ko-config-%)
 # - oci_digest_path_$(build_name) = path to the file that will contain the digests
 # - ko_config_path_$(build_name) = path to the ko config file
 # - docker_tarball_path_$(build_name) = path that the docker tarball that the docker-tarball-$(build_name) will produce
-$(foreach build_name,$(build_names),$(eval oci_layout_path_$(build_name) := $(bin_dir)/scratch/image/oci-layout-$(build_name).$(oci_$(build_name)_image_tag)))
+$(foreach build_name,$(build_names),$(eval oci_layout_path_$(build_name) := $(bin_dir)/scratch/image/oci-layout-$(build_name)))
 $(foreach build_name,$(build_names),$(eval oci_digest_path_$(build_name) := $(CURDIR)/$(oci_layout_path_$(build_name)).digests))
 $(foreach build_name,$(build_names),$(eval ko_config_path_$(build_name) := $(CURDIR)/$(oci_layout_path_$(build_name)).ko_config.yaml))
 $(foreach build_name,$(build_names),$(eval docker_tarball_path_$(build_name) := $(CURDIR)/$(oci_layout_path_$(build_name)).docker.tar))

make/_shared/tools/00_mod.mk

@@ -18,8 +18,17 @@ endif
 
 ##########################################
 
-export DOWNLOAD_DIR ?= $(CURDIR)/$(bin_dir)/downloaded
-export GOVENDOR_DIR ?= $(CURDIR)/$(bin_dir)/go_vendor
+default_shared_dir := $(CURDIR)/$(bin_dir)
+# If $(HOME) is set and $(CI) is not, use the $(HOME)/.cache
+# folder to store downloaded binaries.
+ifneq ($(shell printenv HOME),)
+ifeq ($(shell printenv CI),)
+default_shared_dir := $(HOME)/.cache/makefile-modules
+endif
+endif
+
+export DOWNLOAD_DIR ?= $(default_shared_dir)/downloaded
+export GOVENDOR_DIR ?= $(default_shared_dir)/go_vendor
 
 $(bin_dir)/tools $(DOWNLOAD_DIR)/tools:
 	@mkdir -p $@
@@ -125,7 +134,7 @@ tools += cmctl=v2.1.1
 # https://pkg.go.dev/github.com/cert-manager/release/cmd/cmrel?tab=versions
 tools += cmrel=e3cbe5171488deda000145003e22567bdce622ea
 # https://pkg.go.dev/github.com/golangci/golangci-lint/v2/cmd/golangci-lint?tab=versions
-tools += golangci-lint=v2.1.1
+tools += golangci-lint=v2.1.2
 # https://pkg.go.dev/golang.org/x/vuln?tab=versions
 tools += govulncheck=v1.1.4
 # https://pkg.go.dev/github.com/operator-framework/operator-sdk/cmd/operator-sdk?tab=versions
@@ -138,6 +147,8 @@ tools += preflight=1.12.1
 tools += gci=v0.13.6
 # https://github.com/google/yamlfmt/releases
 tools += yamlfmt=v0.16.0
+# https://github.com/yannh/kubeconform/releases
+tools += kubeconform=v0.6.7
 
 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions
 K8S_CODEGEN_VERSION := v0.32.3
@@ -345,6 +356,7 @@ go_dependencies += operator-sdk=github.com/operator-framework/operator-sdk/cmd/o
 go_dependencies += gh=github.com/cli/cli/v2/cmd/gh
 go_dependencies += gci=github.com/daixiang0/gci
 go_dependencies += yamlfmt=github.com/google/yamlfmt/cmd/yamlfmt
+go_dependencies += kubeconform=github.com/yannh/kubeconform/cmd/kubeconform
 
 #################
 # go build tags #