feat(deps)!: remove legacy istio-operator ingress + unblock update-go-deps CI; bump k8s v0.36.1 / controller-runtime v0.24.1 / helm v3.21.0#258
Open
amuraru wants to merge 3 commits into
Conversation
amuraru
force-pushed
the
update-go-deps/k8s-v036-unblock
branch
4 times, most recently
from
aa8340c to
8b4da76
Compare
amuraru
force-pushed
the
update-go-deps/k8s-v036-unblock
branch
7 times, most recently
from
7455cf2 to
2b0c290
Compare
The vendored github.com/banzaicloud/istio-operator API is EOL/unmaintained and fundamentally incompatible with k8s >= 0.35: k8s dropped the proto.Message method set (ProtoMessage()) from core types, so the istio types' proto.Clone / jsonpb codepaths panic on any message embedding a k8s type (e.g. *corev1.LocalObjectReference). This blocks upgrading the k8s dependencies. Remove the istioingress external-listener support entirely (envoy / contour / nodeport remain; envoy stays the default): - Delete pkg/resources/istioingress, pkg/util/istioingress, the vendored third_party istio-operator + istio-client-go modules, the istio CRD test fixtures, the istioingress controller test, and the istio sample. - Drop the istioingress ingressController enum value, the spec.istioControlPlane field, IstioIngressConfig, and IstioControlPlaneReference from the KafkaCluster API; remove the istio scheme registrations, RBAC markers, reconciler wiring, and the istio branch of GetIngressConfigs / external-listener status. - Regenerate CRDs, RBAC and zz_generated.deepcopy; go mod tidy drops the istio modules. Remove the stale istio-operator entry from .licensei.toml and the istio CRD names from the e2e cleanup list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… v3.21.0 Root cause: the weekly update-go-deps CI job has been failing since 2026-05-18 because sequential per-module `go get -u` calls leave k8s.io/kubectl at v0.35 while k8s.io/api reaches v0.36; kubectl v0.35 imports scheduling/v1alpha1 which was removed in v0.36, so `go mod tidy` aborts. Makefile (update-module-deps): - After the upgrade loop, pin kubectl and cli-runtime to the same minor as k8s.io/api so the k8s ecosystem stays in lockstep. - Exclude .claude/worktrees from `make tidy`. Dependency bumps (make update-go-deps + make generate manifests): - k8s.io/*: v0.34.x -> v0.36.1 (all in lockstep, incl. kubectl/cli-runtime) - helm.sh/helm/v3: v3.19.4 -> v3.21.0 - sigs.k8s.io/controller-runtime: v0.22.4 -> v0.24.1 - google.golang.org/grpc: v1.72.1 -> v1.81.1; other leaf bumps - CRDs + zz_generated.deepcopy regenerated (controller-gen v0.21; new k8s v0.36 schema fields) controller-runtime v0.24 breaking API changes: - main.go: NewWebhookManagedBy is generic; pass typed object as 2nd arg. - kafkacluster_validator.go, kafkatopic_validator.go: ValidateCreate/Update/ Delete now take concrete CRD types instead of runtime.Object. - mocks/SubResourceClient.go: add Apply() (new in SubResourceWriter). - kafkaclient/mock_client.go: add CreateACLs() to mockClusterAdmin. k8s v0.36 source migration: - k8s-objectmatcher tests: autoscaling/v2beta1 -> autoscaling/v2 (removed). SA1019 deprecations (golangci-lint v2.12.2): - api/v1alpha1,v1beta1: scheme.Builder -> runtime.NewSchemeBuilder (removes controller-runtime from the api module imports). - cmmeta.ObjectReference -> IssuerReference; corev1.ServiceExternalTrafficPolicyType -> ServiceExternalTrafficPolicy. - kafkaclient: CreateACL -> CreateACLs (batched per resource). - tests/e2e: terratest kubectl/helm helpers -> Context variants. - operator-tools: StorageMigrating added to exhaustive CRD-condition switch; nolint on the remaining scheme.Builder (third-party, not an api package). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
amuraru
force-pushed
the
update-go-deps/k8s-v036-unblock
branch
from
2b0c290 to
b8696e1
Compare
amuraru
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The weekly
update-go-depsCI job has been failing every run since 2026-05-18. Unblocking it requires upgrading to k8s v0.36, which is incompatible with the vendored banzaicloud istio-operator API. This PR removes that legacy istio ingress backend, fixes the Makefile root cause, and ships the resulting dependency bump.Warning
Breaking change: the
istioingressexternal-listener backend and its KafkaCluster API fields are removed (see below).envoy(default),contour, andnodeportremain.1. Remove legacy banzaicloud istio-operator ingress
The vendored
github.com/banzaicloud/istio-operatorAPI is EOL/unmaintained and fundamentally incompatible with k8s >= 0.35: k8s dropped theproto.Messagemethod set (ProtoMessage()) from core types, so the istio types'proto.Clone/jsonpbcodepaths panic on any message embedding a k8s type (e.g.*corev1.LocalObjectReference). This is the hard blocker for upgrading the k8s dependencies — patching the vendored gen files proved infeasible, so the backend is removed entirely.Deleted:
pkg/resources/istioingress,pkg/util/istioingressthird_partyistio-operator + istio-client-go modulesKafkaCluster API removals (breaking):
istioingressvalue from theingressControllerenumspec.istioControlPlanefieldIstioIngressConfig,IstioControlPlaneReferenceAlso removed the istio scheme registrations, RBAC markers, reconciler wiring, and the istio branch of
GetIngressConfigs/ external-listener status. Regenerated CRDs, RBAC andzz_generated.deepcopy;go mod tidydrops the istio modules. Removed the stale istio-operator entry from.licensei.tomland the istio CRD names from the e2e cleanup list.Migration: clusters using
ingressController: istioingressmust switch toenvoy(default),contour, ornodeport.2. Fix the
update-go-depsCI root causeThe
update-module-depsMakefile macro rango get -uon each direct dep sequentially. Whencontroller-runtimewas upgraded it pulledk8s.io/apito v0.36, butk8s.io/kubectl(indirect, via helm) stayed at v0.35.kubectl v0.35still importsk8s.io/api/scheduling/v1alpha1, which was removed in v0.36 →go mod tidyaborted with a missing-package error.Makefile (
update-module-deps):go get -uloop, explicitly pink8s.io/kubectlandk8s.io/cli-runtimeto the same minor version ask8s.io/apiso the whole k8s ecosystem stays in lockstep..claude/worktreesfrommake tidy'sfindscan (local-only fix); add it to.gitignore.3. Dependency bump (
make update-go-deps)k8s.io/*helm.sh/helm/v3sigs.k8s.io/controller-runtimegoogle.golang.org/grpcSource migrations required by the bump:
NewWebhookManagedByis now generic —ctrl.NewWebhookManagedBy(mgr, &T{}), the.For()call is removed.Validator[T]now uses concrete typed params:ValidateCreate/Update/DeleteinKafkaClusterValidator/KafkaTopicValidatorchange fromruntime.Objectto*KafkaCluster/*KafkaTopic. AddedApply()to mockSubResourceClient; addedCreateACLs()tomockClusterAdmin.autoscaling/v2beta1→autoscaling/v2(package removed).scheme.Builder→runtime.NewSchemeBuilderinapi/v1alpha1,v1beta1(removes controller-runtime from the api module imports);cmmeta.ObjectReference→IssuerReference;corev1.ServiceExternalTrafficPolicyType→ServiceExternalTrafficPolicy;kafkaclientCreateACL→CreateACLs(batched per resource); terratest kubectl/helm helpers → Context variants intests/e2e.Test plan
make update-go-depsexits 0 (verified locally)make tidyexits 0 (verified locally)go build ./...clean (verified locally)go vet ./...clean (verified locally)Update Go Dependenciesworkflow on master after merge to confirm the fix is self-sustaining🤖 Generated with Claude Code