chore: backport 20260318

.github/dependabot.yml

@@ -6,3 +6,33 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+    labels:
+      - "dependencies"
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    groups:
+      kubernetes:
+        patterns:
+          - "k8s.io/*"
+          - "sigs.k8s.io/*"
+      azure-sdk:
+        patterns:
+          - "github.com/Azure/*"
+          - "github.com/AzureAD/*"
+      all-others:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "k8s.io/*"
+          - "sigs.k8s.io/*"
+          - "github.com/Azure/*"
+          - "github.com/AzureAD/*"

.github/workflows/chart.yml

@@ -57,18 +57,19 @@ jobs:
         run: |
           set -euo pipefail
 
-          RELEASE_VERSION="${{ needs.export-registry.outputs.version }}"
-
+          RELEASE_TAG="${{ needs.export-registry.outputs.tag }}"
+          CHART_VERSION="${{ needs.export-registry.outputs.version }}"
           OCI_REGISTRY="${{ needs.export-registry.outputs.registry }}/charts"
-          make helm-push REGISTRY="${OCI_REGISTRY}" TAG="${RELEASE_VERSION}"
+
+          make helm-push REGISTRY="${OCI_REGISTRY}" TAG="${RELEASE_TAG}" CHART_VERSION="${CHART_VERSION}"
 
       - name: Verify chart appVersion matches release tag
         run: |
           set -euo pipefail
 
-          RELEASE_VERSION="${{ needs.export-registry.outputs.version }}"
-          CHART_VERSION="${RELEASE_VERSION}"
-          EXPECTED_APP_VERSION="${RELEASE_VERSION}"
+          RELEASE_TAG="${{ needs.export-registry.outputs.tag }}"
+          CHART_VERSION="${{ needs.export-registry.outputs.version }}"
+          EXPECTED_APP_VERSION="${RELEASE_TAG}"
 
           rm -rf .helm-verify
           mkdir -p .helm-verify

.github/workflows/ci.yml

@@ -184,7 +184,7 @@ jobs:
 
       - name: Upload logs
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: e2e-logs-${{ matrix.customized-settings }}
           path: test/e2e/logs-${{ matrix.customized-settings }}/

.github/workflows/codespell.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
         with:
           egress-policy: audit
 

Makefile

@@ -66,7 +66,7 @@ STATICCHECK_VER := v0.6.1
 STATICCHECK_BIN := staticcheck
 STATICCHECK := $(abspath $(TOOLS_BIN_DIR)/$(STATICCHECK_BIN)-$(STATICCHECK_VER))
 
-GOIMPORTS_VER := latest
+GOIMPORTS_VER := v0.42.0
 GOIMPORTS_BIN := goimports
 GOIMPORTS := $(abspath $(TOOLS_BIN_DIR)/$(GOIMPORTS_BIN)-$(GOIMPORTS_VER))
 
@@ -290,10 +290,10 @@ push: ## Build and push all Docker images
 
 .PHONY: helm-push
 helm-push: ## Package and push Helm charts to OCI registry
-	helm package charts/hub-agent --version $(TAG) --app-version $(TAG) --destination .helm-packages
-	helm package charts/member-agent --version $(TAG) --app-version $(TAG) --destination .helm-packages
-	helm push .helm-packages/hub-agent-$(TAG).tgz oci://$(REGISTRY)
-	helm push .helm-packages/member-agent-$(TAG).tgz oci://$(REGISTRY)
+	helm package charts/hub-agent --version $(CHART_VERSION) --app-version $(TAG) --destination .helm-packages
+	helm package charts/member-agent --version $(CHART_VERSION) --app-version $(TAG) --destination .helm-packages
+	helm push .helm-packages/hub-agent-$(CHART_VERSION).tgz oci://$(REGISTRY)
+	helm push .helm-packages/member-agent-$(CHART_VERSION).tgz oci://$(REGISTRY)
 	rm -rf .helm-packages
 
 # By default, docker buildx create will pull image moby/buildkit:buildx-stable-1 and hit the too many requests error

charts/hub-agent/Chart.yaml

@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "v0.1.0"

charts/hub-agent/README.md

@@ -103,7 +103,6 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 | `webhookClientConnectionType`             | Connection type for webhook client (service or url)                                        | `service`                                        |
 | `useCertManager`                          | Use cert-manager for webhook certificate management (requires `enableWorkload=true`)       | `false`                                          |
 | `webhookCertSecretName`                   | Name of the Secret where cert-manager stores the certificate (required when enabled)       | `unset`                                          |
-| `enableV1Beta1APIs`                       | Watch for v1beta1 APIs                                                                     | `true`                                           |
 | `enableClusterInventoryAPI`               | Enable cluster inventory APIs                                                               | `true`                                           |
 | `enableStagedUpdateRunAPIs`               | Enable staged update run APIs                                                              | `true`                                           |
 | `enableEvictionAPIs`                      | Enable eviction APIs                                                                        | `true`                                           |

charts/hub-agent/templates/crds/crps.yaml

@@ -1,4 +1,2 @@
 {{- $files := .Files }}
-{{- if .Values.enableV1Beta1APIs }}
 {{ $files.Get "crdbases/placement.kubernetes-fleet.io_clusterresourceplacements.yaml" }}
-{{- end }}

charts/hub-agent/templates/crds/internalmemberclusters.yaml

@@ -1,4 +1,2 @@
 {{- $files := .Files }}
-{{- if .Values.enableV1Beta1APIs }}
 {{ $files.Get "crdbases/cluster.kubernetes-fleet.io_internalmemberclusters.yaml" }}
-{{- end }}

charts/hub-agent/templates/crds/memberclusters.yaml

@@ -1,4 +1,2 @@
 {{- $files := .Files }}
-{{- if .Values.enableV1Beta1APIs }}
 {{ $files.Get "crdbases/cluster.kubernetes-fleet.io_memberclusters.yaml" }}
-{{- end }}

charts/hub-agent/templates/crds/works.yaml

@@ -1,4 +1,2 @@
 {{- $files := .Files }}
-{{- if .Values.enableV1Beta1APIs }}
 {{ $files.Get "crdbases/placement.kubernetes-fleet.io_works.yaml" }}
-{{- end }}

charts/hub-agent/templates/deployment.yaml

@@ -20,7 +20,7 @@ spec:
     spec:
       serviceAccountName: {{ include "hub-agent.fullname" . }}-sa
       initContainers:
-        {{- if and .Values.crdInstaller.enabled .Values.enableV1Beta1APIs }}
+        {{- if .Values.crdInstaller.enabled }}
         - name: crd-installer
           image: "{{ .Values.crdInstaller.image.repository }}:{{ .Values.crdInstaller.image.tag }}"
           imagePullPolicy: {{ .Values.crdInstaller.image.pullPolicy }}
@@ -43,7 +43,6 @@ spec:
             - --webhook-client-connection-type={{.Values.webhookClientConnectionType}}
             - --v={{ .Values.logVerbosity }}
             - -add_dir_header
-            - --enable-v1beta1-apis={{ .Values.enableV1Beta1APIs }}
             - --enable-cluster-inventory-apis={{ .Values.enableClusterInventoryAPI }}
             - --enable-staged-update-run-apis={{ .Values.enableStagedUpdateRunAPIs }}
             - --enable-eviction-apis={{ .Values.enableEvictionAPIs}}

charts/hub-agent/values.yaml

@@ -53,7 +53,6 @@ tolerations: []
 
 affinity: {}
 
-enableV1Beta1APIs: true
 enableClusterInventoryAPI: true
 enableStagedUpdateRunAPIs: true
 enableEvictionAPIs: true

charts/member-agent/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
       restartPolicy: Always
       serviceAccountName: {{ include "member-agent.fullname" . }}-sa
       initContainers:
-        {{- if and .Values.crdInstaller.enabled .Values.enableV1Beta1APIs }}
+        {{- if .Values.crdInstaller.enabled }}
         - name: crd-installer
           image: "{{ .Values.crdInstaller.image.repository }}:{{ .Values.crdInstaller.image.tag }}"
           imagePullPolicy: {{ .Values.crdInstaller.image.pullPolicy }}
@@ -41,7 +41,6 @@ spec:
             {{- end }}
             - --v={{ .Values.logVerbosity }}
             - -add_dir_header
-            - --enable-v1beta1-apis={{ .Values.enableV1Beta1APIs }}
             - --enable-pprof={{ .Values.enablePprof }}
             - --pprof-port={{ .Values.pprofPort }}
             - --hub-pprof-port={{ .Values.hubPprofPort }}

charts/member-agent/values.yaml

@@ -68,8 +68,6 @@ azure:
 tlsClientInsecure: true #TODO should be false in the production
 useCAAuth: false
 
-enableV1Beta1APIs: true
-
 enablePprof: true
 pprofPort: 6065
 hubPprofPort: 6066

cmd/hubagent/options/options_test.go

@@ -707,6 +707,123 @@ func TestPlacementManagementOptions(t *testing.T) {
 	}
 }
 
+// TestWebhookOptions tests the parsing and validation logic of the webhook options defined in WebhookOptions.
+func TestWebhookOptions(t *testing.T) {
+	testCases := []struct {
+		name             string
+		flagSetName      string
+		args             []string
+		wantWebhookOpts  WebhookOptions
+		wantErred        bool
+		wantErrMsgSubStr string
+	}{
+		{
+			name:        "all default",
+			flagSetName: "allDefault",
+			args:        []string{},
+			wantWebhookOpts: WebhookOptions{
+				EnableWebhooks:                         true,
+				ClientConnectionType:                   "url",
+				ServiceName:                            "fleetwebhook",
+				EnableGuardRail:                        false,
+				GuardRailWhitelistedUsers:              "",
+				GuardRailDenyModifyMemberClusterLabels: false,
+				EnableWorkload:                         false,
+				UseCertManager:                         false,
+			},
+		},
+		{
+			name:        "all specified",
+			flagSetName: "allSpecified",
+			args: []string{
+				"--enable-webhook=false",
+				"--webhook-client-connection-type=service",
+				"--webhook-service-name=customwebhook",
+				"--enable-guard-rail=true",
+				"--whitelisted-users=user1,user2",
+				"--deny-modify-member-cluster-labels=true",
+				"--enable-workload=true",
+				"--use-cert-manager=true",
+			},
+			wantWebhookOpts: WebhookOptions{
+				EnableWebhooks:                         false,
+				ClientConnectionType:                   "service",
+				ServiceName:                            "customwebhook",
+				EnableGuardRail:                        true,
+				GuardRailWhitelistedUsers:              "user1,user2",
+				GuardRailDenyModifyMemberClusterLabels: true,
+				EnableWorkload:                         true,
+				UseCertManager:                         true,
+			},
+		},
+		{
+			name:        "webhook client connection type URL (case-insensitive)",
+			flagSetName: "webhookClientConnTypeURL",
+			args:        []string{"--webhook-client-connection-type=URL"},
+			wantWebhookOpts: WebhookOptions{
+				EnableWebhooks:                         true,
+				ClientConnectionType:                   "url",
+				ServiceName:                            "fleetwebhook",
+				EnableGuardRail:                        false,
+				GuardRailWhitelistedUsers:              "",
+				GuardRailDenyModifyMemberClusterLabels: false,
+				EnableWorkload:                         false,
+				UseCertManager:                         false,
+			},
+		},
+		{
+			name:        "webhook client connection type service (case-insensitive)",
+			flagSetName: "webhookClientConnTypeService",
+			args:        []string{"--webhook-client-connection-type=Service"},
+			wantWebhookOpts: WebhookOptions{
+				EnableWebhooks:                         true,
+				ClientConnectionType:                   "service",
+				ServiceName:                            "fleetwebhook",
+				EnableGuardRail:                        false,
+				GuardRailWhitelistedUsers:              "",
+				GuardRailDenyModifyMemberClusterLabels: false,
+				EnableWorkload:                         false,
+				UseCertManager:                         false,
+			},
+		},
+		{
+			name:             "invalid webhook client connection type",
+			flagSetName:      "webhookClientConnTypeInvalid",
+			args:             []string{"--webhook-client-connection-type=ftp"},
+			wantErred:        true,
+			wantErrMsgSubStr: "invalid webhook client connection type",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			flags := flag.NewFlagSet(tc.flagSetName, flag.ContinueOnError)
+			webhookOpts := WebhookOptions{}
+			webhookOpts.AddFlags(flags)
+
+			err := flags.Parse(tc.args)
+			if tc.wantErred {
+				if err == nil {
+					t.Fatalf("flag Parse() = nil, want erred")
+				}
+
+				if !strings.Contains(err.Error(), tc.wantErrMsgSubStr) {
+					t.Fatalf("flag Parse() error = %v, want error msg with sub-string %s", err, tc.wantErrMsgSubStr)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("flag Parse() = %v, want nil", err)
+			}
+
+			if diff := cmp.Diff(webhookOpts, tc.wantWebhookOpts); diff != "" {
+				t.Errorf("webhook options diff (-got, +want):\n%s", diff)
+			}
+		})
+	}
+}
+
 // TestRateLimitOptions tests the parsing and validation logic of the rate limit options defined in RateLimitOptions.
 func TestRateLimitOptions(t *testing.T) {
 	testCases := []struct {

cmd/hubagent/options/webhooks.go

@@ -71,22 +71,10 @@ func (o *WebhookOptions) AddFlags(flags *flag.FlagSet) {
 		"Enable the KubeFleet webhooks or not.",
 	)
 
-	flags.Func(
+	flags.Var(
+		newWebhookClientConnTypeValueWithValidation(string(URL), &o.ClientConnectionType),
 		"webhook-client-connection-type",
 		"The connection type used by the webhook client. Valid values are `url` and `service`. Defaults to `url`. This option only applies if webhooks are enabled.",
-		func(s string) error {
-			if len(s) == 0 {
-				o.ClientConnectionType = "url"
-				return nil
-			}
-
-			parsedStr, err := parseWebhookClientConnectionString(s)
-			if err != nil {
-				return fmt.Errorf("invalid webhook client connection type: %w", err)
-			}
-			o.ClientConnectionType = string(parsedStr)
-			return nil
-		},
 	)
 
 	flags.StringVar(
@@ -131,3 +119,28 @@ func (o *WebhookOptions) AddFlags(flags *flag.FlagSet) {
 		"Use the cert-manager project for managing KubeFleet webhook server certificates or not. If set to false, the system will use self-signed certificates. If set to true, the EnableWorkload option must be set to true as well. This option only applies if webhooks are enabled.",
 	)
 }
+
+type WebhookClientConnTypeValueWithValidation string
+
+func (v *WebhookClientConnTypeValueWithValidation) String() string {
+	return string(*v)
+}
+
+func (v *WebhookClientConnTypeValueWithValidation) Set(s string) error {
+	if len(s) == 0 {
+		*v = "url"
+		return nil
+	}
+
+	parsedStr, err := parseWebhookClientConnectionString(s)
+	if err != nil {
+		return fmt.Errorf("invalid webhook client connection type: %w", err)
+	}
+	*v = WebhookClientConnTypeValueWithValidation(parsedStr)
+	return nil
+}
+
+func newWebhookClientConnTypeValueWithValidation(defaultVal string, p *string) *WebhookClientConnTypeValueWithValidation {
+	*p = defaultVal
+	return (*WebhookClientConnTypeValueWithValidation)(p)
+}

hack/Azure/property-based-scheduling.md

@@ -123,7 +123,6 @@ helm install hub-agent charts/hub-agent/ \
     --set namespace=fleet-system \
     --set enableWebhook=true \
     --set webhookClientConnectionType=service \
-    --set enableV1Beta1APIs=true
 ```
 
 It will take a few moments to complete the installation. After the command returns, verify that the Fleet hub agent is up and running with this command:
@@ -185,7 +184,6 @@ do
         --set config.memberClusterName="${MEMBER_CLUSTERS[$i]}" \
         --set logVerbosity=5 \
         --set namespace=fleet-system \
-        --set enableV1Beta1APIs=true \
         --set propertyProvider=$PROPERTY_PROVIDER
 done
 ```

hack/Azure/setup/createHubCluster.sh

@@ -30,7 +30,6 @@ helm install hub-agent charts/hub-agent/ \
   --set namespace=fleet-system \
   --set enableWebhook=false \
   --set webhookClientConnectionType=service \
-  --set enableV1Beta1APIs=true \
   --set clusterUnhealthyThreshold="3m0s" \
   --set forceDeleteWaitTime="1m0s" \
   --set resources.limits.cpu=4 \

hack/Azure/setup/joinMC.sh

@@ -88,8 +88,7 @@ helm install member-agent charts/member-agent/ \
         --set refreshtoken.pullPolicy=Always \
         --set config.memberClusterName=$MEMBER_CLUSTER \
         --set logVerbosity=5 \
-        --set namespace=fleet-system \
-        --set enableV1Beta1APIs=true
+        --set namespace=fleet-system
 
 kubectl get pods -A
 kubectl config use-context $HUB_CLUSTER_CONTEXT