WIP: CORENET-7045: INFW K8s rebase to 1.36.1

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: rhel-9-release-golang-1.25-openshift-4.22
+  tag: rhel-9-release-golang-1.26-openshift-5.0

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.25 as builder
+FROM golang:1.26 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

Dockerfile.daemon

@@ -1,4 +1,4 @@
-FROM golang:1.25 AS builder
+FROM golang:1.26 AS builder
 WORKDIR /go/src/github.com/openshift/ingress-node-firewall
 COPY . .
 

Dockerfile.daemon.openshift

@@ -1,10 +1,10 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder
 
 WORKDIR /go/src/github.com/openshift/ingress-node-firewall
 COPY . .
 RUN ./hack/build-daemon.sh
 
-FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/ingress-node-firewall/bin/daemon /usr/bin/
 COPY --from=builder /go/src/github.com/openshift/ingress-node-firewall/bin/syslog /usr/bin/
 CMD ["/usr/bin/daemon"]

Dockerfile.openshift

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder
 
 WORKDIR /workspace
 
@@ -18,7 +18,7 @@ COPY bindata/manifests/ bindata/manifests/
 # Build
 RUN CGO_ENABLED=0 GO111MODULE=on go build -a -mod=vendor -o manager main.go
 
-FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY --from=builder /workspace/bindata/manifests /bindata/manifests

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 4.22.0
+VERSION ?= 5.0.0
 CSV_VERSION = $(shell echo $(VERSION) | sed 's/v//')
 ifeq ($(VERSION), latest)
 CSV_VERSION := 0.0.0
@@ -57,7 +57,7 @@ endif
 IMG ?= quay.io/openshift/origin-ingress-node-firewall:latest
 DAEMON_IMG ?= quay.io/openshift/origin-ingress-node-firewall-daemon:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.32.x
+ENVTEST_K8S_VERSION = 1.36.0
 
 # Default namespace
 NAMESPACE ?= ingress-node-firewall-system
@@ -268,8 +268,8 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
-CONTROLLER_TOOLS_VERSION ?= v0.20.1
-OPERATOR_SDK_VERSION=v1.33.0
+CONTROLLER_TOOLS_VERSION ?= v0.21.0
+OPERATOR_SDK_VERSION=v1.42.2
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
@@ -285,7 +285,7 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) GOFLAGS="" go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.20
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) GOFLAGS="" go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.24
 
 .PHONY: bundle
 bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
@@ -363,17 +363,20 @@ OPM = $(shell which opm)
 endif
 endif
 
-PHONY: operator-sdk
-operator-sdk: ## Get the current operator-sdk binary, If there isn't any, we'll use the GOBIN path.
-ifeq (, $(shell which operator-sdk))
+.PHONY: operator-sdk
+OPERATOR_SDK = $(LOCALBIN)/operator-sdk
+operator-sdk: ## Download operator-sdk locally if necessary.
+ifeq (,$(wildcard $(OPERATOR_SDK)))
+ifeq (,$(shell which operator-sdk 2>/dev/null))
 	@{ \
 	set -e ;\
-	curl -Lk  https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_linux_amd64 > $(GOBIN)/operator-sdk ;\
-	chmod u+x $(GOBIN)/operator-sdk ;\
+	mkdir -p $(LOCALBIN) ;\
+	curl -Lk https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_linux_amd64 > $(OPERATOR_SDK) ;\
+	chmod u+x $(OPERATOR_SDK) ;\
 	}
-OPERATOR_SDK=$(GOBIN)/operator-sdk
 else
-OPERATOR_SDK=$(shell which operator-sdk)
+OPERATOR_SDK = $(shell which operator-sdk)
+endif
 endif
 
 .PHONY: generate-daemon-manifest
@@ -419,7 +422,7 @@ catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
 
 CILIUM_EBPF_VERSION := v0.18.0
-GOLANGCI_LINT_VERSION = v1.54.2
+GOLANGCI_LINT_VERSION = v1.64.8
 CLANG ?= clang
 CFLAGS := -O2 -g -Wall -Werror $(CFLAGS)
 GOOS ?= linux

README.md

@@ -68,7 +68,7 @@ make undeploy-samples
 
 You need to install the following packages:
 
-operator-sdk 1.33.0
+operator-sdk 1.42.2
 
 controller-gen v0.20.1+
 

api/v1alpha1/groupversion_info.go

@@ -29,7 +29,7 @@ var (
 	GroupVersion = schema.GroupVersion{Group: "ingressnodefirewall.openshift.io", Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
-	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} //nolint:staticcheck
 
 	// AddToScheme adds the types in this group-version to the given scheme.
 	AddToScheme = SchemeBuilder.AddToScheme

bundle.Dockerfile

@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=ingress-node-firewall
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.34.1
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.42.2
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 

bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml

@@ -87,17 +87,17 @@ metadata:
     categories: Networking
     certified: "false"
     containerImage: quay.io/openshift/origin-ingress-node-firewall:latest
-    createdAt: "2025-09-04T08:08:17Z"
+    createdAt: "2026-05-27T11:28:23Z"
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"
     features.operators.openshift.io/proxy-aware: "false"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "false"
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
-    olm.skipRange: '>=4.11.0 <4.22.0'
+    olm.skipRange: '>=4.11.0 <5.0.0'
     operatorframework.io/suggested-namespace: openshift-ingress-node-firewall
-    operators.operatorframework.io/builder: operator-sdk-v1.34.1
+    operators.operatorframework.io/builder: operator-sdk-v1.42.2
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/openshift/ingress-node-firewall
     support: Red Hat
@@ -106,7 +106,7 @@ metadata:
     operatorframework.io/arch.arm64: supported
     operatorframework.io/arch.ppc64le: supported
     operatorframework.io/arch.s390x: supported
-  name: ingress-node-firewall.v4.22.0
+  name: ingress-node-firewall.v5.0.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -167,43 +167,7 @@ spec:
           - ingressnodefirewall.openshift.io
           resources:
           - ingressnodefirewallconfigs
-          verbs:
-          - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch
-        - apiGroups:
-          - ingressnodefirewall.openshift.io
-          resources:
-          - ingressnodefirewallconfigs/finalizers
-          verbs:
-          - update
-        - apiGroups:
-          - ingressnodefirewall.openshift.io
-          resources:
-          - ingressnodefirewallconfigs/status
-          verbs:
-          - get
-          - patch
-          - update
-        - apiGroups:
-          - ingressnodefirewall.openshift.io
-          resources:
           - ingressnodefirewallnodestates
-          verbs:
-          - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch
-        - apiGroups:
-          - ingressnodefirewall.openshift.io
-          resources:
           - ingressnodefirewalls
           verbs:
           - create
@@ -216,12 +180,14 @@ spec:
         - apiGroups:
           - ingressnodefirewall.openshift.io
           resources:
+          - ingressnodefirewallconfigs/finalizers
           - ingressnodefirewalls/finalizers
           verbs:
           - update
         - apiGroups:
           - ingressnodefirewall.openshift.io
           resources:
+          - ingressnodefirewallconfigs/status
           - ingressnodefirewalls/status
           verbs:
           - get
@@ -448,7 +414,7 @@ spec:
   - ingressnodefirewall
   labels:
     olm-owner-enterprise-app: ingress-node-firewall
-    olm-status-descriptors: ingress-node-firewall.v4.22.0
+    olm-status-descriptors: ingress-node-firewall.v5.0.0
   links:
   - name: Ingress Node Firewall
     url: https://github.com/openshift/ingress-node-firewall
@@ -458,7 +424,7 @@ spec:
   maturity: alpha
   provider:
     name: Red Hat, Inc
-  version: 4.22.0
+  version: 5.0.0
   webhookdefinitions:
   - admissionReviewVersions:
     - v1

bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.21.0
   creationTimestamp: null
   name: ingressnodefirewallconfigs.ingressnodefirewall.openshift.io
 spec:
@@ -70,16 +70,8 @@ spec:
                 description: Conditions show the current state of the Ingress Node
                   Firewall Config resource
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -120,12 +112,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.21.0
   creationTimestamp: null
   name: ingressnodefirewallnodestates.ingressnodefirewall.openshift.io
 spec:

bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.21.0
   creationTimestamp: null
   name: ingressnodefirewalls.ingressnodefirewall.openshift.io
 spec:

bundle/metadata/annotations.yaml

@@ -5,7 +5,7 @@ annotations:
   operators.operatorframework.io.bundle.metadata.v1: metadata/
   operators.operatorframework.io.bundle.package.v1: ingress-node-firewall
   operators.operatorframework.io.bundle.channels.v1: alpha
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.34.1
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.42.2
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
 

config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.1
+    controller-gen.kubebuilder.io/version: v0.21.0
   name: ingressnodefirewallconfigs.ingressnodefirewall.openshift.io
 spec:
   group: ingressnodefirewall.openshift.io

config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.1
+    controller-gen.kubebuilder.io/version: v0.21.0
   name: ingressnodefirewallnodestates.ingressnodefirewall.openshift.io
 spec:
   group: ingressnodefirewall.openshift.io

config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.1
+    controller-gen.kubebuilder.io/version: v0.21.0
   name: ingressnodefirewalls.ingressnodefirewall.openshift.io
 spec:
   group: ingressnodefirewall.openshift.io

config/manifests/bases/ingress-node-firewall.clusterserviceversion.yaml

@@ -15,7 +15,7 @@ metadata:
     features.operators.openshift.io/token-auth-aws: "false"
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
-    olm.skipRange: '>=4.11.0 <4.22.0'
+    olm.skipRange: '>=4.11.0 <5.0.0'
     operatorframework.io/suggested-namespace: openshift-ingress-node-firewall
     repository: https://github.com/openshift/ingress-node-firewall
     support: Red Hat
@@ -71,7 +71,7 @@ spec:
   - ingressnodefirewall
   labels:
     olm-owner-enterprise-app: ingress-node-firewall
-    olm-status-descriptors: ingress-node-firewall.v4.22.0
+    olm-status-descriptors: ingress-node-firewall.v5.0.0
   links:
   - name: Ingress Node Firewall
     url: https://github.com/openshift/ingress-node-firewall

config/olm-install/install-resources.yaml

@@ -10,7 +10,7 @@ metadata:
   namespace: ingress-node-firewall-system
 spec:
   displayName: Ingress Node Firewall Index
-  image: quay.io/openshift/ingress-nodefw/ingress-node-firewall-index:v4.22.0
+  image: quay.io/openshift/ingress-nodefw/ingress-node-firewall-index:v5.0.0
   publisher: github.com/openshift/ingress-node-firewall
   sourceType: grpc
 ---