Upgrade Makefile modules

.github/workflows/govulncheck.yaml

@@ -24,7 +24,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.github/workflows/make-self-upgrade.yaml

@@ -38,7 +38,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.github/workflows/release.yml

@@ -8,7 +8,7 @@ env:
   VERSION: ${{ github.ref_name }}
 
 jobs:
-  build_images:
+  build_and_push:
     runs-on: ubuntu-latest
 
     permissions:
@@ -17,8 +17,6 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - uses: ./.github/actions/repo_access
         with:
@@ -28,40 +26,29 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ steps.go-version.outputs.result }}
-
       - uses: docker/login-action@v3
         with:
           registry: quay.io
-          username: ${{ secrets.QUAY_USER }}
+          username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
-      - uses: docker/login-action@v3
+
+      - uses: actions/setup-go@v5
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          go-version: ${{ steps.go-version.outputs.result }}
 
       - id: release
-        run: make -j release
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}-${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}.tgz
-          path: ${{ steps.release.outputs.RELEASE_HELM_CHART_TAR }}
-          if-no-files-found: error
+        run: make release
 
     outputs:
       RELEASE_OCI_PREFLIGHT_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }}
       RELEASE_OCI_PREFLIGHT_TAG: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_TAG }}
-      RELEASE_HELM_CHART_NAME: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}
+      RELEASE_HELM_CHART_IMAGE: ${{ steps.release.outputs.RELEASE_HELM_CHART_IMAGE }}
       RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}
 
   github_release:
     runs-on: ubuntu-latest
 
-    needs: build_images
+    needs: build_and_push
 
     permissions:
       contents: write # needed for creating a PR
@@ -70,15 +57,10 @@ jobs:
     steps:
       - run: |
           touch .notes-file
-          echo "OCI_PREFLIGHT_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }}" >> .notes-file
-          echo "OCI_PREFLIGHT_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_PREFLIGHT_TAG }}" >> .notes-file
-          echo "HELM_CHART_NAME: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}" >> .notes-file
-          echo "HELM_CHART_VERSION: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file
-
-      - id: chart_download
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz
+          echo "OCI_PREFLIGHT_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }}" >> .notes-file
+          echo "OCI_PREFLIGHT_TAG: ${{ needs.build_and_push.outputs.RELEASE_OCI_PREFLIGHT_TAG }}" >> .notes-file
+          echo "HELM_CHART_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_IMAGE }}" >> .notes-file
+          echo "HELM_CHART_VERSION: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file
 
       - env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -89,7 +71,3 @@ jobs:
             --draft \
             --verify-tag \
             --notes-file .notes-file
-          
-          gh release upload "$VERSION" \
-            --repo="$GITHUB_REPOSITORY" \
-            "${{ steps.chart_download.outputs.download-path }}/${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz"

OWNERS_ALIASES

@@ -8,7 +8,7 @@ aliases:
     - wallrj
     - jakexks
     - maelvls
-    - irbekrm
     - sgtcodfish
     - inteon
     - thatsmrtalbot
+    - erikgb

hack/e2e/test.sh

@@ -68,7 +68,7 @@ make release \
      OCI_SIGN_ON_PUSH=false \
      oci_platforms=linux/amd64 \
      oci_preflight_image_name=$OCI_BASE/images/venafi-agent \
-     helm_chart_repo_base=oci://$OCI_BASE/charts \
+     helm_chart_image_name=$OCI_BASE/charts/venafi-kubernetes-agent \
      GITHUB_OUTPUT=release.env
 source release.env
 popd

klone.yaml

@@ -10,50 +10,50 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c775b91913708e2ea4816373d0b0b4b632b3b524
+      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
       repo_path: modules/tools

make/00_mod.mk

@@ -5,9 +5,6 @@ kind_cluster_config := $(bin_dir)/scratch/kind_cluster.yaml
 
 build_names := preflight
 
-goos:=
-GOARCH:=$(shell go env GOARCH)
-
 go_preflight_main_dir := .
 go_preflight_mod_dir := .
 go_preflight_ldflags := \
@@ -26,15 +23,10 @@ oci_preflight_image_name_development := jetstack.local/venafi-agent
 deploy_name := venafi-kubernetes-agent
 deploy_namespace := venafi
 
-helm_chart_repo_base := oci://quay.io/jetstack/charts
 helm_chart_source_dir := deploy/charts/venafi-kubernetes-agent
-helm_chart_name := venafi-kubernetes-agent
-helm_chart_app_version := $(VERSION)
-helm_chart_version := $(VERSION:v%=%)
+helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
+helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
-helm_docs_use_helm_tool := 1
-helm_generate_schema := 1
-helm_verify_values := 1
 
 # Allows us to replace the Helm values.yaml's image.repository and image.tag
 # with the right values.

make/02_mod.mk

@@ -4,15 +4,14 @@ GITHUB_OUTPUT ?= /dev/stderr
 .PHONY: release
 ## Publish all release artifacts (image + helm chart)
 ## @category [shared] Release
-release: $(helm_chart_archive)
+release:
 	$(MAKE) oci-push-preflight
-	$(HELM) push "$(helm_chart_archive)" "$(helm_chart_repo_base)"
+	$(MAKE) helm-chart-oci-push
 
-	@echo "RELEASE_OCI_preflight_IMAGE=$(oci_preflight_image_name)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_OCI_preflight_TAG=$(oci_preflight_image_tag)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_HELM_CHART_NAME=$(helm_chart_name)" >> "$(GITHUB_OUTPUT)"
+	@echo "RELEASE_OCI_PREFLIGHT_IMAGE=$(oci_preflight_image_name)" >> "$(GITHUB_OUTPUT)"
+	@echo "RELEASE_OCI_PREFLIGHT_TAG=$(oci_preflight_image_tag)" >> "$(GITHUB_OUTPUT)"
+	@echo "RELEASE_HELM_CHART_IMAGE=$(helm_chart_image_name)" >> "$(GITHUB_OUTPUT)"
 	@echo "RELEASE_HELM_CHART_VERSION=$(helm_chart_version)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_HELM_CHART_TAR=$(helm_chart_archive)" >> "$(GITHUB_OUTPUT)"
 
 	@echo "Release complete!"
 

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -24,7 +24,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

make/_shared/helm/crds.mk

@@ -37,6 +37,9 @@ ifeq ($(HOST_OS),darwin)
 	sed_inplace := sed -i ''
 endif
 
+crds_dir ?= deploy/crds
+crds_dir_readme := $(dir $(lastword $(MAKEFILE_LIST)))/crds_dir.README.md
+
 .PHONY: generate-crds
 ## Generate CRD manifests.
 ## @category [shared] Generate/ Verify
@@ -51,7 +54,7 @@ generate-crds: | $(NEEDS_CONTROLLER-GEN) $(NEEDS_YQ)
 		$(directories:%=paths=./%...) \
 		output:crd:artifacts:config=$(crds_gen_temp)
 
-	echo "Updating CRDs with helm templating, writing to $(helm_chart_source_dir)/templates"
+	@echo "Updating CRDs with helm templating, writing to $(helm_chart_source_dir)/templates"
 
 	@for i in $$(ls $(crds_gen_temp)); do \
 		crd_name=$$($(YQ) eval '.metadata.name' $(crds_gen_temp)/$$i); \
@@ -63,4 +66,9 @@ generate-crds: | $(NEEDS_CONTROLLER-GEN) $(NEEDS_YQ)
 		cat $(crd_template_footer) >> $(helm_chart_source_dir)/templates/crd-$$i; \
 	done
 
+	@if [ -n "$$(ls $(crds_gen_temp) 2>/dev/null)" ]; then \
+		cp -Tr $(crds_gen_temp) $(crds_dir); \
+		cp $(crds_dir_readme) $(crds_dir)/README.md; \
+	fi
+
 shared_generate_targets += generate-crds

make/_shared/helm/crds_dir.README.md

@@ -0,0 +1,8 @@
+# CRDs source directory
+
+> **WARNING**: if you are an end-user, you probably should NOT need to use the
+> files in this directory. These files are for **reference, development and testing purposes only**.
+
+This directory contains 'source code' used to build our CustomResourceDefinition
+resources consumed by our officially supported deployment methods (e.g. the Helm chart).
+The CRDs in this directory might be incomplete, and should **NOT** be used to provision the operator.

make/_shared/helm/helm.mk

@@ -24,17 +24,15 @@ ifndef helm_chart_source_dir
 $(error helm_chart_source_dir is not set)
 endif
 
-ifndef helm_chart_name
-$(error helm_chart_name is not set)
+ifndef helm_chart_image_name
+$(error helm_chart_image_name is not set)
 endif
 
 ifndef helm_chart_version
 $(error helm_chart_version is not set)
 endif
-
-ifndef helm_chart_app_version
-# Default to the same as the chart version
-helm_chart_app_version = $(helm_chart_version)
+ifneq ($(helm_chart_version:v%=v),v)
+$(error helm_chart_version "$(helm_chart_version)" should start with a "v")
 endif
 
 ifndef helm_values_mutation_function
@@ -43,6 +41,9 @@ endif
 
 ##########################################
 
+helm_chart_name := $(notdir $(helm_chart_image_name))
+helm_chart_image_registry := $(dir $(helm_chart_image_name))
+helm_chart_image_tag := $(helm_chart_version)
 helm_chart_sources := $(shell find $(helm_chart_source_dir) -maxdepth 1 -type f) $(shell find $(helm_chart_source_dir)/templates -type f)
 helm_chart_archive := $(bin_dir)/scratch/image/$(helm_chart_name)-$(helm_chart_version).tgz
 
@@ -64,17 +65,23 @@ $(helm_chart_archive): $(helm_chart_sources) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_d
 
 	mkdir -p $(dir $@)
 	$(HELM) package $(helm_chart_source_dir_versioned) \
-		--app-version $(helm_chart_app_version) \
+		--app-version $(helm_chart_version) \
 		--version $(helm_chart_version) \
 		--destination $(dir $@)
 
+.PHONY: helm-chart-oci-push
+## Create and push Helm chart to OCI registry.
+## Will also create a non-v-prefixed tag for the OCI image.
+## @category [shared] Publish
+helm-chart-oci-push: $(helm_chart_archive) | $(NEEDS_HELM) $(NEEDS_CRANE)
+	$(HELM) push "$(helm_chart_archive)" "oci://$(helm_chart_image_registry)"
+	$(CRANE) copy "$(helm_chart_image_name):$(helm_chart_image_tag)" "$(helm_chart_image_name):$(helm_chart_image_tag:v%=%)"
+
 .PHONY: helm-chart
 ## Create a helm chart
 ## @category [shared] Helm Chart
 helm-chart: $(helm_chart_archive)
 
-ifdef helm_docs_use_helm_tool
-
 helm_tool_header_search ?= ^<!-- AUTO-GENERATED -->
 helm_tool_footer_search ?= ^<!-- /AUTO-GENERATED -->
 
@@ -83,35 +90,24 @@ helm_tool_footer_search ?= ^<!-- /AUTO-GENERATED -->
 ## @category [shared] Generate/ Verify
 generate-helm-docs: | $(NEEDS_HELM-TOOL)
 	$(HELM-TOOL) inject -i $(helm_chart_source_dir)/values.yaml -o $(helm_chart_source_dir)/README.md --header-search "$(helm_tool_header_search)" --footer-search "$(helm_tool_footer_search)"
-else
-.PHONY: generate-helm-docs
-## Generate Helm chart documentation.
-## @category [shared] Generate/ Verify
-generate-helm-docs: | $(NEEDS_HELM-DOCS)
-	$(HELM-DOCS) $(helm_chart_source_dir)/
-endif
 
 shared_generate_targets += generate-helm-docs
 
-ifdef helm_generate_schema
 .PHONY: generate-helm-schema
 ## Generate Helm chart schema.
 ## @category [shared] Generate/ Verify
 generate-helm-schema: | $(NEEDS_HELM-TOOL) $(NEEDS_GOJQ)
 	$(HELM-TOOL) schema -i $(helm_chart_source_dir)/values.yaml | $(GOJQ) > $(helm_chart_source_dir)/values.schema.json
 
 shared_generate_targets += generate-helm-schema
-endif
 
-ifdef helm_verify_values
 .PHONY: verify-helm-values
 ## Verify Helm chart values using helm-tool.
 ## @category [shared] Generate/ Verify
 verify-helm-values: | $(NEEDS_HELM-TOOL) $(NEEDS_GOJQ)
 	$(HELM-TOOL) lint -i $(helm_chart_source_dir)/values.yaml -d $(helm_chart_source_dir)/templates -e $(helm_chart_source_dir)/values.linter.exceptions
 
 shared_verify_targets += verify-helm-values
-endif
 
 .PHONY: verify-pod-security-standards
 ## Verify that the Helm chart complies with the pod security standards.

make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml

@@ -38,7 +38,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}