Merge pull request #70 from cybozu-go/k8s-1.27

Support Kubernetes 1.27

.github/workflows/ci.yaml

@@ -36,9 +36,9 @@ jobs:
     strategy:
       matrix:
         k8s-version:
-        - "v1.23.17"
-        - "v1.24.12"
-        - "v1.25.8"
+        - v1.25.11
+        - v1.26.6
+        - v1.27.3
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v3

aqua.yaml

@@ -4,14 +4,14 @@ registries:
   - type: standard
     ref: v4.23.0 # renovate: depName=aquaproj/aqua-registry
 packages:
-  - name: kubernetes/kubectl@v1.25.8
-  - name: kubernetes-sigs/kubebuilder@v3.8.0
-  - name: kubernetes-sigs/kustomize@kustomize/v4.5.7
-  - name: kubernetes-sigs/kind@v0.18.0
-  - name: rust-lang/mdBook@v0.4.27
-  - name: mikefarah/yq@v4.31.1
+  - name: kubernetes/kubectl@v1.27.3
+  - name: kubernetes-sigs/kubebuilder@v3.11.0
+  - name: kubernetes-sigs/kustomize@kustomize/v5.1.0
+  - name: kubernetes-sigs/kind@v0.20.0
+  - name: rust-lang/mdBook@v0.4.31
+  - name: mikefarah/yq@v4.34.1
   - name: clamoriniere/crd-to-markdown@v0.0.3
-  - name: kubernetes-sigs/controller-tools/controller-gen@v0.11.3
-  - name: helm/helm@v3.8.1
-  - name: bitnami-labs/sealed-secrets@v0.18.5
-  - name: goreleaser/goreleaser@v1.15.2
+  - name: kubernetes-sigs/controller-tools/controller-gen@v0.12.0
+  - name: helm/helm@v3.12.1
+  - name: bitnami-labs/sealed-secrets@v0.22.0
+  - name: goreleaser/goreleaser@v1.19.1

charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.12.0
   labels:
     app.kubernetes.io/name: accurate
   name: subnamespaces.accurate.cybozu.com

cmd/accurate-controller/sub/run.go

@@ -3,6 +3,7 @@ package sub
 import (
 	"fmt"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -11,7 +12,6 @@ import (
 	accuratev1 "github.com/cybozu-go/accurate/api/v1"
 	"github.com/cybozu-go/accurate/controllers"
 	"github.com/cybozu-go/accurate/hooks"
-	"github.com/cybozu-go/accurate/pkg/cluster"
 	"github.com/cybozu-go/accurate/pkg/config"
 	"github.com/cybozu-go/accurate/pkg/indexing"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -53,8 +53,12 @@ func subMain(ns, addr string, port int) error {
 	restCfg.Burst = int(restCfg.QPS * 1.5)
 
 	mgr, err := ctrl.NewManager(restCfg, ctrl.Options{
-		Scheme:                  scheme,
-		NewClient:               cluster.NewCachingClient,
+		Scheme: scheme,
+		Client: client.Options{
+			Cache: &client.CacheOptions{
+				Unstructured: true,
+			},
+		},
 		MetricsBindAddress:      options.metricsAddr,
 		HealthProbeBindAddress:  options.probeAddr,
 		LeaderElection:          true,
@@ -84,10 +88,7 @@ func subMain(ns, addr string, port int) error {
 	}
 
 	ctx := ctrl.SetupSignalHandler()
-	dec, err := admission.NewDecoder(scheme)
-	if err != nil {
-		return fmt.Errorf("unable to create admission decoder: %w", err)
-	}
+	dec := admission.NewDecoder(scheme)
 
 	// Namespace reconciler & webhook
 	if err := indexing.SetupIndexForNamespace(ctx, mgr); err != nil {

config/crd/bases/accurate.cybozu.com_subnamespaces.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: subnamespaces.accurate.cybozu.com
 spec:
   group: accurate.cybozu.com

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:

config/webhook/manifests.yaml

@@ -2,7 +2,6 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: mutating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
@@ -29,7 +28,6 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:

controllers/namespace_controller.go

@@ -20,7 +20,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 // NamespaceReconciler reconciles a Namespace object
@@ -386,11 +385,11 @@ func (r *NamespaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Namespace{}).
-		Watches(&source.Kind{Type: &accuratev1.SubNamespace{}}, handler.Funcs{
-			CreateFunc: func(ev event.CreateEvent, q workqueue.RateLimitingInterface) {
+		Watches(&accuratev1.SubNamespace{}, handler.Funcs{
+			CreateFunc: func(ctx context.Context, ev event.CreateEvent, q workqueue.RateLimitingInterface) {
 				subNSHandler(ev.Object, q)
 			},
-			UpdateFunc: func(ev event.UpdateEvent, q workqueue.RateLimitingInterface) {
+			UpdateFunc: func(ctx context.Context, ev event.UpdateEvent, q workqueue.RateLimitingInterface) {
 				if ev.ObjectNew.GetDeletionTimestamp() != nil {
 					return
 				}

controllers/namespace_controller_test.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	accuratev1 "github.com/cybozu-go/accurate/api/v1"
-	"github.com/cybozu-go/accurate/pkg/cluster"
 	"github.com/cybozu-go/accurate/pkg/constants"
 	"github.com/cybozu-go/accurate/pkg/indexing"
 	. "github.com/onsi/ginkgo/v2"
@@ -47,7 +46,11 @@ var _ = Describe("Namespace controller", func() {
 			Scheme:             scheme,
 			LeaderElection:     false,
 			MetricsBindAddress: "0",
-			NewClient:          cluster.NewCachingClient,
+			Client: client.Options{
+				Cache: &client.CacheOptions{
+					Unstructured: true,
+				},
+			},
 		})
 		Expect(err).ToNot(HaveOccurred())
 

controllers/subnamespace_controller.go

@@ -17,7 +17,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 // SubNamespaceReconciler reconciles a SubNamespace object
@@ -136,14 +135,14 @@ func (r *SubNamespaceReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&accuratev1.SubNamespace{}).
-		Watches(&source.Kind{Type: &corev1.Namespace{}}, handler.Funcs{
-			UpdateFunc: func(ev event.UpdateEvent, q workqueue.RateLimitingInterface) {
+		Watches(&corev1.Namespace{}, handler.Funcs{
+			UpdateFunc: func(ctx context.Context, ev event.UpdateEvent, q workqueue.RateLimitingInterface) {
 				if ev.ObjectNew.GetDeletionTimestamp() != nil {
 					return
 				}
 				nsHandler(ev.ObjectOld, q)
 			},
-			DeleteFunc: func(ev event.DeleteEvent, q workqueue.RateLimitingInterface) {
+			DeleteFunc: func(ctx context.Context, ev event.DeleteEvent, q workqueue.RateLimitingInterface) {
 				nsHandler(ev.Object, q)
 			},
 		}).

docs/SUMMARY.md

@@ -31,3 +31,4 @@
 - [Design notes](design.md)
 - [Reconciliation rules](reconcile.md)
 - [Release procedure](release.md)
+- [Maintenance](maintenance.md)

docs/maintenance.md

@@ -0,0 +1,16 @@
+# Maintenance
+
+## How to update supported Kubernetes
+
+Accurate supports the three latest Kubernetes versions.
+If a new Kubernetes is released, please update the following files.
+
+- Update Kubernetes version in `e2e/Makefile` and `.github/workflows/ci.yaml`.
+- Update kubectl version in `aqua.yaml`.
+- Update `k8s.io/*` and `sigs.k8s.io/controller-runtime` packages version in `go.mod`.
+
+If Kubernetes or controller-runtime API has changed, please fix the relevant source code.
+
+## How to update dependencies
+
+TBD.

e2e/Makefile

@@ -1,4 +1,4 @@
-KUBERNETES_VERSION = v1.25.8
+KUBERNETES_VERSION = v1.27.3
 
 KUBECTL_ACCURATE := $(dir $(shell pwd))/bin/kubectl-accurate
 KUBECONFIG := $(shell pwd)/.kubeconfig

e2e/e2e_test.go

@@ -19,9 +19,6 @@ var roleYAML []byte
 //go:embed testdata/resourceQuota.yaml
 var resourceQuota []byte
 
-//go:embed testdata/serviceaccount.yaml
-var serviceAccountYAML []byte
-
 //go:embed testdata/serviceaccountWithDummySecrets.yaml
 var serviceAccountWithDummySecretsYAML []byte
 
@@ -289,57 +286,7 @@ var _ = Describe("kubectl accurate", func() {
 		Expect(err).To(HaveOccurred())
 	})
 
-	It("should propagate ServiceAccount w/o secrets field (Kubernetes 1.23 or lower)", func() {
-		if k8sMinorVersion >= 26 {
-			Fail("this test case is no longer needed")
-		}
-		if k8sMinorVersion >= 24 {
-			Skip("this test case does not work")
-		}
-
-		kubectlSafe(serviceAccountYAML, "apply", "-f", "-")
-		var tokenName string
-		Eventually(func() error {
-			out, err := kubectl(nil, "-n", "subroot1", "get", "serviceaccounts", "test", "-o", "json")
-			if err != nil {
-				return err
-			}
-			sa := &corev1.ServiceAccount{}
-			if err := json.Unmarshal(out, sa); err != nil {
-				return err
-			}
-			if len(sa.Secrets) == 0 {
-				return errors.New("no token")
-			}
-			tokenName = sa.Secrets[0].Name
-			return nil
-		}).Should(Succeed())
-
-		var tokenName2 string
-		Eventually(func() error {
-			out, err := kubectl(nil, "-n", "sn1", "get", "serviceaccounts", "test", "-o", "json")
-			if err != nil {
-				return err
-			}
-			sa := &corev1.ServiceAccount{}
-			if err := json.Unmarshal(out, sa); err != nil {
-				return err
-			}
-			if len(sa.Secrets) == 0 {
-				return errors.New("no token")
-			}
-			tokenName2 = sa.Secrets[0].Name
-			return nil
-		}).Should(Succeed())
-
-		Expect(tokenName2).NotTo(Equal(tokenName))
-	})
-
-	It("should propagate ServiceAccount w/o secrets field (Kubernetes 1.24 or higher)", func() {
-		if k8sMinorVersion < 24 {
-			Skip("this test case does not work")
-		}
-
+	It("should propagate ServiceAccount w/o secrets field", func() {
 		// From Kubernetes 1.24, the auto-generation of secret-based service account tokens has been disabled by default.
 		// So the secrets field in the ServiceAccount is not updated. But when upgrading Kubernetes from 1.23 or lower,
 		// some ServiceAccounts that have been created before the upgrade might have the secrets field.