dep: controller runtime v0.23.3

[KevFan]

Description

CI unit tests are failing due to setup envtest issue.

Bump controller runtime deps to use latest version of env test.

Related similar issue: metallb/metallb#2950

Summary by CodeRabbit

• Bug Fixes

  • Clarified CRD schema for certificate secret name: explicit empty-string default and stronger description to document backward-compatible allowance.
  • Prevents attempting to use an empty TLS secret name during install preflight checks (treated as not provided).

• Chores

  • Upgraded Kubernetes/controller-runtime and related libraries.
  • Makefile now derives the default envtest tooling version from the installed controller runtime.

• Tests

  • Minor test fixture initialization updated.

[adam-cattermole]

Just a heads up, I pinned envtest in #295 in the Makefile as I didn't want to include too many other changes in the patch release (i.e. controller-runtime bump) - but this PR should probably unpin it again

authorino-operator/Makefile

Lines 145 to 148 in 997a61a

	# ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.16)
	# ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime 2>/dev/null | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
	# ENVTEST_VERSION is currently hardcoded to a newer version as the release-0.16 GCS bucket access has been revoked
	ENVTEST_VERSION ?= release-0.21

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates build tooling to compute ENVTEST_VERSION from the installed controller-runtime module, upgrades Go module dependencies (including Kubernetes and controller-runtime), refines CRD OpenAPI schemas for TLS cert secret name fields by adding default: "" and extended descriptions, adjusts a test fixture TypeMeta, and tweaks controller logic to treat empty secret names as “not provided”.

Changes

Cohort / File(s)	Summary
Build Configuration Makefile	Replaced hardcoded ENVTEST_VERSION ?= release-0.21 with a computed default derived from sigs.k8s.io/controller-runtime module version using go list and awk.
CRD Schema Updates bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml, charts/authorino-operator/templates/manifests.yaml, config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml, config/deploy/manifests.yaml, config/install/manifests.yaml	Added default: "" and expanded descriptions for spec.listener.tls.certSecretRef.name and spec.oidcServer.tls.certSecretRef.name to document backwards-compatible allowance of empty string.
Bundle Metadata bundle/manifests/authorino-operator.clusterserviceversion.yaml	Updated metadata.annotations.createdAt timestamp.
Dependency Updates go.mod	Bumped Kubernetes stack (k8s.io/*), sigs.k8s.io/controller-runtime, and several core/test libraries; many indirect dependencies updated/added/removed.
Controller Logic controllers/authorino_controller.go	Treat TLS cert secret as “not provided” when the secret ref exists but its Name is empty, preventing secret-name derivation/lookup in that case.
Test Fixture Enhancement pkg/reconcilers/authorino_reconciler_test.go	Initialized TypeMeta (Kind: "Service", APIVersion) on the existingService test fixture.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇🌿
I nibble on changes, tidy each line,
Versions aligned, CRDs made fine,
Secrets now checked when their names are bare,
Tests hum along with TypeMeta to spare,
Hop forward, dear repo — I polished you with care.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title references a controller-runtime version bump, which is the primary dependency update across the changeset, making it directly related to the main change.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[guicassolato]

/lgtm
/approve

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/reconcilers/authorino_reconciler_test.go (1)

128-136: ⚠️ Potential issue | 🟠 Major

Add TypeMeta to all Deployment fixtures for Server-Side Apply consistency.

The existingService fixture includes TypeMeta (lines 73–76) to support Server-Side Apply operations, but all three existingDeployment fixtures (lines 128–136, 165–175, and 202–212) lack this initialisation. Since reconcileDeployment calls reconcileResource, which invokes ApplyResource using client.Apply (Server-Side Apply), the Deployment fixtures require TypeMeta for proper operation and consistency.

Update all three fixtures to include TypeMeta following the same pattern as the Service fixture:

Suggested fix for all three existingDeployment fixtures

existingDeployment := &appsv1.Deployment{
	TypeMeta: metav1.TypeMeta{
		Kind:       "Deployment",
		APIVersion: appsv1.SchemeGroupVersion.String(),
	},
	ObjectMeta: metav1.ObjectMeta{
		Name:      "test-authorino",
		Namespace: namespace,
	},
	Spec: appsv1.DeploymentSpec{
		Replicas: pointer.Int32(1),
	},
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/reconcilers/authorino_reconciler_test.go` around lines 128 - 136, The
three Deployment test fixtures named existingDeployment used by
reconcileDeployment (which calls reconcileResource -> ApplyResource ->
client.Apply) are missing TypeMeta required for Server-Side Apply; update each
existingDeployment fixture to include a TypeMeta block with Kind "Deployment"
and APIVersion set to appsv1.SchemeGroupVersion.String(), mirroring the
existingService fixture pattern so client.Apply receives proper TypeMeta for SSA
operations.

🧹 Nitpick comments (1)

Makefile (1)

145-146: Consider adding a fallback for robustness.

The dynamic computation from controller-runtime version is a good improvement that addresses the unpinning requirement from PR #295. However, if go list fails (e.g., before go mod download), the awk command produces empty output, leaving ENVTEST_VERSION empty.

Consider adding a fallback:

🔧 Suggested fallback pattern

 # ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.16)
-ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime 2>/dev/null | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
+ENVTEST_VERSION ?= $(or $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime 2>/dev/null | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}'),release-0.19)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 145 - 146, The computed ENVTEST_VERSION can be empty
if `go list` fails; update the `ENVTEST_VERSION` assignment so it falls back to
a sensible default (e.g., "release-0.16") when the shell pipeline `go list -m -f
"{{ .Version }}" sigs.k8s.io/controller-runtime 2>/dev/null | awk -F'[v.]'
'{printf "release-%d.%d", $$2, $$3}'` produces no output — implement the
fallback using a shell OR or parameter expansion so ENVTEST_VERSION gets the
computed value when available and the default when not, while preserving the
existing variable name ENVTEST_VERSION and behavior when controller-runtime is
present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml`:
- Around line 97-103: The CRD allows certSecretRef.name to default to an empty
string which can produce runtime failures when CertSecret.Name is used without
guarding; update the reconciler code to validate non-empty secret names before
using them: in controllers/authorino_controller.go (where CertSecret is checked)
add an explicit check that CertSecret.Name != "" before attempting lookups or
usage, and in pkg/reconcilers/deployment.go (the deployment reconciler paths
that build Secret volume mounts / volume references) add guards that ensure
certSecretRef.Name (or CertSecret.Name) is non-empty and return a clear
reconcile error if empty so the controller does not create invalid volume secret
references. Ensure all code paths that read CertSecret.Name perform the
non-empty check first.

---

Outside diff comments:
In `@pkg/reconcilers/authorino_reconciler_test.go`:
- Around line 128-136: The three Deployment test fixtures named
existingDeployment used by reconcileDeployment (which calls reconcileResource ->
ApplyResource -> client.Apply) are missing TypeMeta required for Server-Side
Apply; update each existingDeployment fixture to include a TypeMeta block with
Kind "Deployment" and APIVersion set to appsv1.SchemeGroupVersion.String(),
mirroring the existingService fixture pattern so client.Apply receives proper
TypeMeta for SSA operations.

---

Nitpick comments:
In `@Makefile`:
- Around line 145-146: The computed ENVTEST_VERSION can be empty if `go list`
fails; update the `ENVTEST_VERSION` assignment so it falls back to a sensible
default (e.g., "release-0.16") when the shell pipeline `go list -m -f "{{
.Version }}" sigs.k8s.io/controller-runtime 2>/dev/null | awk -F'[v.]' '{printf
"release-%d.%d", $$2, $$3}'` produces no output — implement the fallback using a
shell OR or parameter expansion so ENVTEST_VERSION gets the computed value when
available and the default when not, while preserving the existing variable name
ENVTEST_VERSION and behavior when controller-runtime is present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10bac99c-8df3-462d-9f3a-8f6fcc6e52ff

📥 Commits

Reviewing files that changed from the base of the PR and between ad1dec3 and 0053523.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• Makefile
• bundle/manifests/authorino-operator.clusterserviceversion.yaml
• bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml
• charts/authorino-operator/templates/manifests.yaml
• config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml
• config/deploy/manifests.yaml
• config/install/manifests.yaml
• go.mod
• pkg/reconcilers/authorino_reconciler_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: confirm whether empty CertSecret.Name is guarded before use.

rg -nP --type=go -C4 'CertSecret\s*==\s*nil|CertSecret\.Name|namespacedName\(|GetTlsVolume\(' controllers/authorino_controller.go pkg/reconcilers/deployment.go

Repository: Kuadrant/authorino-operator

Length of output: 3483

---

Avoid defaulting TLS secret names to empty strings without runtime validation.

Setting default: "" on certSecretRef.name permits schema-valid objects that will fail at runtime. The controller checks whether CertSecret is nil (line 178) but does not validate whether Name is empty before using it. The deployment reconciler (lines 103, 110) accesses CertSecret.Name directly with no guard, which would create invalid volume secret references if the name is empty.

If backwards compatibility requires accepting empty values, add explicit name != "" validation in reconciler paths before secret lookup and volume creation (controllers/authorino_controller.go line 185–186 and pkg/reconcilers/deployment.go lines 103–105, 110–112).

Also applies to: 138–143

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml` around lines
97 - 103, The CRD allows certSecretRef.name to default to an empty string which
can produce runtime failures when CertSecret.Name is used without guarding;
update the reconciler code to validate non-empty secret names before using them:
in controllers/authorino_controller.go (where CertSecret is checked) add an
explicit check that CertSecret.Name != "" before attempting lookups or usage,
and in pkg/reconcilers/deployment.go (the deployment reconciler paths that build
Secret volume mounts / volume references) add guards that ensure
certSecretRef.Name (or CertSecret.Name) is non-empty and return a clear
reconcile error if empty so the controller does not create invalid volume secret
references. Ensure all code paths that read CertSecret.Name perform the
non-empty check first.