From b8f7d5a227a465cb583a1759c2d525aba482a64b Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 2 Oct 2025 09:45:17 +0200
Subject: [PATCH] chore(deps): update dependency golangci/golangci-lint to
 v2.5.0 (#1663)

* chore(deps): update dependency golangci/golangci-lint to v2.5.0

* chore(deps): update dependency golangci/golangci-lint to v2.5.0

Signed-off-by: Hristo Hristov <me@hhristov.info>

* chore(deps): update dependency golangci/golangci-lint to v2.5.0

Signed-off-by: Hristo Hristov <me@hhristov.info>

---------

Signed-off-by: Hristo Hristov <me@hhristov.info>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Hristo Hristov <me@hhristov.info>
---
 .golangci.yaml                                |  1 +
 Makefile                                      |  2 +-
 api/v1beta1/owner_list.go                     |  2 +-
 api/v1beta1/tenant_types.go                   |  2 +-
 api/v1beta2/owner_list.go                     |  2 +-
 api/v1beta2/resourcepool_func.go              |  4 ++--
 api/v1beta2/tenant_func.go                    |  2 +-
 api/v1beta2/tenant_labels.go                  |  2 +-
 api/v1beta2/tenant_types.go                   |  2 +-
 controllers/config/manager.go                 |  2 +-
 controllers/rbac/manager.go                   |  6 ++---
 controllers/resourcepools/claim_controller.go |  4 ++--
 controllers/resourcepools/pool_controller.go  | 14 +++++------
 controllers/tenant/manager.go                 | 23 +++++++++----------
 controllers/tenant/namespaces.go              |  6 ++---
 controllers/tenant/resourcequotas.go          | 12 ++++------
 controllers/tenant/resourcequotas_quota.go    |  4 ++--
 controllers/tenant/rolebindings.go            |  9 ++++----
 controllers/tenant/utils.go                   |  4 ++--
 pkg/api/allowed_list.go                       |  4 ++--
 pkg/api/forbidden_list.go                     |  6 ++---
 pkg/cert/ca.go                                | 11 ++++-----
 pkg/configuration/client.go                   |  1 +
 pkg/indexer/ingress/hostname_path.go          |  2 +-
 pkg/utils/owner.go                            |  2 +-
 pkg/utils/tenant_labels.go                    |  2 +-
 pkg/utils/user_group.go                       |  2 +-
 pkg/webhook/ingress/errors.go                 |  2 +-
 pkg/webhook/ingress/types.go                  |  8 +++----
 pkg/webhook/ingress/utils.go                  |  8 +++----
 pkg/webhook/namespace/mutation/utils.go       | 12 +++++-----
 pkg/webhook/networkpolicy/validating.go       |  4 ++--
 pkg/webhook/node/errors.go                    |  2 +-
 pkg/webhook/pod/containerregistry_errors.go   |  2 +-
 pkg/webhook/tenant/custom_resource_quota.go   |  6 ++---
 35 files changed, 87 insertions(+), 90 deletions(-)

diff --git a/.golangci.yaml b/.golangci.yaml
index ba234501..86675308 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -5,6 +5,7 @@ run:
 linters:
   default: all
   disable:
+    - godoclint
     - depguard
     - err113
     - exhaustruct
diff --git a/Makefile b/Makefile
index 37c4e6ea..4b8caa05 100644
--- a/Makefile
+++ b/Makefile
@@ -384,7 +384,7 @@ nwa:
 	$(call go-install-tool,$(NWA),github.com/$(NWA_LOOKUP)@$(NWA_VERSION))
 
 GOLANGCI_LINT          := $(LOCALBIN)/golangci-lint
-GOLANGCI_LINT_VERSION  := v2.4.0
+GOLANGCI_LINT_VERSION  := v2.5.0
 GOLANGCI_LINT_LOOKUP   := golangci/golangci-lint
 golangci-lint: ## Download golangci-lint locally if necessary.
 	@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
diff --git a/api/v1beta1/owner_list.go b/api/v1beta1/owner_list.go
index 37b455b7..e98d7956 100644
--- a/api/v1beta1/owner_list.go
+++ b/api/v1beta1/owner_list.go
@@ -19,7 +19,7 @@ func (in OwnerListSpec) FindOwner(name string, kind OwnerKind) (owner OwnerSpec)
 		return in[i]
 	}
 
-	return
+	return owner
 }
 
 type ByKindAndName OwnerListSpec
diff --git a/api/v1beta1/tenant_types.go b/api/v1beta1/tenant_types.go
index 1cf0e481..1f53d0d9 100644
--- a/api/v1beta1/tenant_types.go
+++ b/api/v1beta1/tenant_types.go
@@ -78,5 +78,5 @@ func (in *Tenant) GetNamespaces() (res []string) {
 
 	res = append(res, in.Status.Namespaces...)
 
-	return
+	return res
 }
diff --git a/api/v1beta2/owner_list.go b/api/v1beta2/owner_list.go
index 5584ad85..0d2a4f6e 100644
--- a/api/v1beta2/owner_list.go
+++ b/api/v1beta2/owner_list.go
@@ -19,7 +19,7 @@ func (o OwnerListSpec) FindOwner(name string, kind OwnerKind) (owner OwnerSpec)
 		return o[i]
 	}
 
-	return
+	return owner
 }
 
 type ByKindAndName OwnerListSpec
diff --git a/api/v1beta2/resourcepool_func.go b/api/v1beta2/resourcepool_func.go
index a1bb5be6..746b93ae 100644
--- a/api/v1beta2/resourcepool_func.go
+++ b/api/v1beta2/resourcepool_func.go
@@ -247,7 +247,7 @@ func (r *ResourcePool) GetNamespaceClaims(namespace string) (claims map[string]*
 		}
 	}
 
-	return
+	return claims, claimedResources
 }
 
 // Calculate usage for each namespace.
@@ -272,5 +272,5 @@ func (r *ResourcePool) GetClaimedByNamespaceClaims() (claims map[string]corev1.R
 		}
 	}
 
-	return
+	return claims
 }
diff --git a/api/v1beta2/tenant_func.go b/api/v1beta2/tenant_func.go
index fb27d901..6df874b1 100644
--- a/api/v1beta2/tenant_func.go
+++ b/api/v1beta2/tenant_func.go
@@ -93,7 +93,7 @@ func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePe
 		}
 	}
 
-	return
+	return rolePerms
 }
 
 // Get the permissions for a tenant ordered by groups and users.
diff --git a/api/v1beta2/tenant_labels.go b/api/v1beta2/tenant_labels.go
index 52ba3720..93bc2905 100644
--- a/api/v1beta2/tenant_labels.go
+++ b/api/v1beta2/tenant_labels.go
@@ -28,5 +28,5 @@ func GetTypeLabel(t metav1.Object) (label string, err error) {
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
 
-	return
+	return label, err
 }
diff --git a/api/v1beta2/tenant_types.go b/api/v1beta2/tenant_types.go
index 569eb226..7119cc9f 100644
--- a/api/v1beta2/tenant_types.go
+++ b/api/v1beta2/tenant_types.go
@@ -94,7 +94,7 @@ func (in *Tenant) GetNamespaces() (res []string) {
 
 	res = append(res, in.Status.Namespaces...)
 
-	return
+	return res
 }
 
 // +kubebuilder:object:root=true
diff --git a/controllers/config/manager.go b/controllers/config/manager.go
index eee0bc95..69734775 100644
--- a/controllers/config/manager.go
+++ b/controllers/config/manager.go
@@ -42,5 +42,5 @@ func (c *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 
 	c.Log.Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
 
-	return
+	return res, err
 }
diff --git a/controllers/rbac/manager.go b/controllers/rbac/manager.go
index 621864ab..22607fda 100644
--- a/controllers/rbac/manager.go
+++ b/controllers/rbac/manager.go
@@ -74,7 +74,7 @@ func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, config
 		err = errors.Join(err, crbErr)
 	}
 
-	return
+	return err
 }
 
 // Reconcile serves both required ClusterRole and ClusterRoleBinding resources: that's ok, we're watching for multiple
@@ -99,7 +99,7 @@ func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 		}
 	}
 
-	return
+	return res, err
 }
 
 func (r *Manager) EnsureClusterRoleBindingsProvisioner(ctx context.Context) error {
@@ -168,7 +168,7 @@ func (r *Manager) EnsureClusterRole(ctx context.Context, roleName string) (err e
 		return nil
 	})
 
-	return
+	return err
 }
 
 // Start is the Runnable function triggered upon Manager start-up to perform the first RBAC reconciliation
diff --git a/controllers/resourcepools/claim_controller.go b/controllers/resourcepools/claim_controller.go
index 0e23b20e..e071d676 100644
--- a/controllers/resourcepools/claim_controller.go
+++ b/controllers/resourcepools/claim_controller.go
@@ -61,7 +61,7 @@ func (r resourceClaimController) Reconcile(ctx context.Context, request ctrl.Req
 
 		log.Error(err, "Error reading the object")
 
-		return
+		return result, err
 	}
 
 	// Ensuring the Quota Status
@@ -291,5 +291,5 @@ func updateStatusAndEmitEvent(
 		claim.Status.Condition.Message,
 	)
 
-	return
+	return err
 }
diff --git a/controllers/resourcepools/pool_controller.go b/controllers/resourcepools/pool_controller.go
index 62684bc7..569d5ad3 100644
--- a/controllers/resourcepools/pool_controller.go
+++ b/controllers/resourcepools/pool_controller.go
@@ -85,7 +85,7 @@ func (r resourcePoolController) Reconcile(ctx context.Context, request ctrl.Requ
 
 		log.Error(err, "Error reading the object")
 
-		return
+		return result, err
 	}
 
 	// ResourceQuota Reconciliation
@@ -298,7 +298,7 @@ func (r *resourcePoolController) canClaimWithinNamespace(
 		}
 	}
 
-	return
+	return res
 }
 
 // Handles exhaustions when a exhaustion was already declared in the given map.
@@ -336,7 +336,7 @@ func (r *resourcePoolController) handleClaimOrderedExhaustion(
 		return queued, updateStatusAndEmitEvent(ctx, r.Client, r.recorder, claim, cond)
 	}
 
-	return
+	return queued, err
 }
 
 func (r *resourcePoolController) handleClaimResourceExhaustion(
@@ -399,12 +399,12 @@ func (r *resourcePoolController) handleClaimToPoolBinding(
 	cond.Message = "Claimed resources"
 
 	if err = updateStatusAndEmitEvent(ctx, r.Client, r.recorder, claim, cond); err != nil {
-		return
+		return err
 	}
 
 	pool.AddClaimToStatus(claim)
 
-	return
+	return err
 }
 
 // Attempts to garbage collect a ResourceQuota resource.
@@ -571,7 +571,7 @@ func (r *resourcePoolController) gatherMatchingNamespaces(
 	seenNamespaces := make(map[string]struct{})
 
 	if !pool.DeletionTimestamp.IsZero() {
-		return
+		return namespaces, err
 	}
 
 	for _, selector := range pool.Spec.Selectors {
@@ -597,7 +597,7 @@ func (r *resourcePoolController) gatherMatchingNamespaces(
 		}
 	}
 
-	return
+	return namespaces, err
 }
 
 // Get Currently selected claims for the resourcepool.
diff --git a/controllers/tenant/manager.go b/controllers/tenant/manager.go
index 6d4bcb53..6c0f4286 100644
--- a/controllers/tenant/manager.go
+++ b/controllers/tenant/manager.go
@@ -43,7 +43,6 @@ func (r *Manager) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
-//nolint:nakedret
 func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ctrl.Result, err error) {
 	r.Log = r.Log.WithValues("Request.Name", request.Name)
 	// Fetch the Tenant instance
@@ -60,7 +59,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 
 		r.Log.Error(err, "Error reading the object")
 
-		return
+		return result, err
 	}
 
 	preRecNamespaces := instance.Status.Namespaces
@@ -69,13 +68,13 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.updateTenantStatus(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot update Tenant status")
 
-		return
+		return result, err
 	}
 	// Ensuring Metadata
 	if err = r.ensureMetadata(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot ensure metadata")
 
-		return
+		return result, err
 	}
 
 	// Ensuring ResourceQuota
@@ -84,7 +83,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.syncCustomResourceQuotaUsages(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot count limited resources")
 
-		return
+		return result, err
 	}
 	// Ensuring all namespaces are collected
 	r.Log.Info("Ensuring all Namespaces are collected")
@@ -92,7 +91,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.collectNamespaces(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot collect Namespace resources")
 
-		return
+		return result, err
 	}
 	// Ensuring Status metrics are exposed
 	r.Log.Info("Ensuring all status metrics are exposed")
@@ -104,7 +103,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.syncNamespaces(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot sync Namespace items")
 
-		return
+		return result, err
 	}
 	// Ensuring NetworkPolicy resources
 	r.Log.Info("Starting processing of Network Policies")
@@ -112,7 +111,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.syncNetworkPolicies(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot sync NetworkPolicy items")
 
-		return
+		return result, err
 	}
 	// Ensuring LimitRange resources
 	r.Log.Info("Starting processing of Limit Ranges", "items", len(instance.Spec.LimitRanges.Items))
@@ -120,7 +119,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.syncLimitRanges(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot sync LimitRange items")
 
-		return
+		return result, err
 	}
 	// Ensuring ResourceQuota resources
 	r.Log.Info("Starting processing of Resource Quotas", "items", len(instance.Spec.ResourceQuota.Items))
@@ -128,7 +127,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.syncResourceQuotas(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot sync ResourceQuota items")
 
-		return
+		return result, err
 	}
 	// Ensuring RoleBinding resources
 	r.Log.Info("Ensuring RoleBindings for Owners and Tenant")
@@ -136,7 +135,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.syncRoleBindings(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot sync RoleBindings items")
 
-		return
+		return result, err
 	}
 	// Ensuring Namespace count
 	r.Log.Info("Ensuring Namespace count")
@@ -144,7 +143,7 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 	if err = r.ensureNamespaceCount(ctx, instance); err != nil {
 		r.Log.Error(err, "Cannot sync Namespace count")
 
-		return
+		return result, err
 	}
 
 	r.Log.Info("Tenant reconciling completed")
diff --git a/controllers/tenant/namespaces.go b/controllers/tenant/namespaces.go
index 125d0fd4..76a0bb70 100644
--- a/controllers/tenant/namespaces.go
+++ b/controllers/tenant/namespaces.go
@@ -41,7 +41,7 @@ func (r *Manager) syncNamespaces(ctx context.Context, tenant *capsulev1beta2.Ten
 		err = fmt.Errorf("cannot sync Namespaces: %w", err)
 	}
 
-	return
+	return err
 }
 
 func (r *Manager) syncNamespaceMetadata(ctx context.Context, namespace string, tnt *capsulev1beta2.Tenant) (err error) {
@@ -170,7 +170,7 @@ func (r *Manager) collectNamespaces(ctx context.Context, tenant *capsulev1beta2.
 			Selector: fields.OneTermEqualSelector(".metadata.ownerReferences[*].capsule", tenant.GetName()),
 		})
 		if err != nil {
-			return
+			return err
 		}
 
 		_, err = controllerutil.CreateOrUpdate(ctx, r.Client, tenant.DeepCopy(), func() error {
@@ -179,7 +179,7 @@ func (r *Manager) collectNamespaces(ctx context.Context, tenant *capsulev1beta2.
 			return r.Client.Status().Update(ctx, tenant, &client.SubResourceUpdateOptions{})
 		})
 
-		return
+		return err
 	})
 }
 
diff --git a/controllers/tenant/resourcequotas.go b/controllers/tenant/resourcequotas.go
index 6b962348..a2c7b0d1 100644
--- a/controllers/tenant/resourcequotas.go
+++ b/controllers/tenant/resourcequotas.go
@@ -39,7 +39,6 @@ import (
 //
 // In case of Namespace-scoped Resource Budget, we're just replicating the resources across all registered Namespaces.
 
-//nolint:nakedret
 func (r *Manager) syncResourceQuotas(ctx context.Context, tenant *capsulev1beta2.Tenant) (err error) { //nolint:gocognit
 	// getting ResourceQuota labels for the mutateFn
 	var tenantLabel, typeLabel string
@@ -175,16 +174,16 @@ func (r *Manager) syncResourceQuotas(ctx context.Context, tenant *capsulev1beta2
 					if scopeErr = r.resourceQuotasUpdate(ctx, name, quantity, toKeep, resourceQuota.Hard[name], list.Items...); scopeErr != nil {
 						r.Log.Error(scopeErr, "cannot proceed with outer ResourceQuota")
 
-						return
+						return scopeErr
 					}
 				}
 
-				return
+				return scopeErr
 			})
 		}
 		// Waiting the update of all ResourceQuotas
 		if err = group.Wait(); err != nil {
-			return
+			return err
 		}
 	}
 	// getting requested ResourceQuota keys
@@ -207,7 +206,6 @@ func (r *Manager) syncResourceQuotas(ctx context.Context, tenant *capsulev1beta2
 	return group.Wait()
 }
 
-//nolint:nakedret
 func (r *Manager) syncResourceQuota(ctx context.Context, tenant *capsulev1beta2.Tenant, namespace string, keys []string) (err error) {
 	// getting ResourceQuota labels for the mutateFn
 	var tenantLabel, typeLabel string
@@ -264,7 +262,7 @@ func (r *Manager) syncResourceQuota(ctx context.Context, tenant *capsulev1beta2.
 		r.Log.Info("Resource Quota sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
 
 		if err != nil {
-			return
+			return err
 		}
 	}
 
@@ -295,7 +293,7 @@ func (r *Manager) resourceQuotasUpdate(ctx context.Context, resourceName corev1.
 		group.Go(func() (err error) {
 			found := &corev1.ResourceQuota{}
 			if err = r.Get(ctx, types.NamespacedName{Namespace: rq.Namespace, Name: rq.Name}, found); err != nil {
-				return
+				return err
 			}
 
 			return retry.RetryOnConflict(retry.DefaultBackoff, func() (retryErr error) {
diff --git a/controllers/tenant/resourcequotas_quota.go b/controllers/tenant/resourcequotas_quota.go
index 014175be..a0730e00 100644
--- a/controllers/tenant/resourcequotas_quota.go
+++ b/controllers/tenant/resourcequotas_quota.go
@@ -71,7 +71,7 @@ func (r *Manager) syncCustomResourceQuotaUsages(ctx context.Context, tenant *cap
 			err := retry.RetryOnConflict(retry.DefaultBackoff, func() (retryErr error) {
 				tnt := &capsulev1beta2.Tenant{}
 				if retryErr = r.Get(ctx, types.NamespacedName{Name: tenant.GetName()}, tnt); retryErr != nil {
-					return
+					return retryErr
 				}
 
 				if tnt.GetAnnotations() == nil {
@@ -123,7 +123,7 @@ func (r *Manager) syncCustomResourceQuotaUsages(ctx context.Context, tenant *cap
 				usedMap[key] += used
 			}
 
-			return
+			return scopeErr
 		})
 	}
 
diff --git a/controllers/tenant/rolebindings.go b/controllers/tenant/rolebindings.go
index 566eda3b..bbc7ce56 100644
--- a/controllers/tenant/rolebindings.go
+++ b/controllers/tenant/rolebindings.go
@@ -91,20 +91,19 @@ func (r *Manager) syncRoleBindings(ctx context.Context, tenant *capsulev1beta2.T
 	return group.Wait()
 }
 
-//nolint:nakedret
 func (r *Manager) syncAdditionalRoleBinding(ctx context.Context, tenant *capsulev1beta2.Tenant, ns string, keys []string, hashFn func(binding api.AdditionalRoleBindingsSpec) string) (err error) {
 	var tenantLabel, roleBindingLabel string
 
 	if tenantLabel, err = utils.GetTypeLabel(&capsulev1beta2.Tenant{}); err != nil {
-		return
+		return err
 	}
 
 	if roleBindingLabel, err = utils.GetTypeLabel(&rbacv1.RoleBinding{}); err != nil {
-		return
+		return err
 	}
 
 	if err = r.pruningResources(ctx, ns, keys, &rbacv1.RoleBinding{}); err != nil {
-		return
+		return err
 	}
 
 	var roleBindings []api.AdditionalRoleBindingsSpec
@@ -155,7 +154,7 @@ func (r *Manager) syncAdditionalRoleBinding(ctx context.Context, tenant *capsule
 		r.Log.Info(fmt.Sprintf("RoleBinding sync result: %s", string(res)), "name", target.Name, "namespace", target.Namespace)
 
 		if err != nil {
-			return
+			return err
 		}
 	}
 
diff --git a/controllers/tenant/utils.go b/controllers/tenant/utils.go
index f5a3a513..04389ed5 100644
--- a/controllers/tenant/utils.go
+++ b/controllers/tenant/utils.go
@@ -23,7 +23,7 @@ func (r *Manager) pruningResources(ctx context.Context, ns string, keys []string
 	var capsuleLabel string
 
 	if capsuleLabel, err = capsulev1beta2.GetTypeLabel(obj); err != nil {
-		return
+		return err
 	}
 
 	selector := labels.NewSelector()
@@ -31,7 +31,7 @@ func (r *Manager) pruningResources(ctx context.Context, ns string, keys []string
 	var exists *labels.Requirement
 
 	if exists, err = labels.NewRequirement(capsuleLabel, selection.Exists, []string{}); err != nil {
-		return
+		return err
 	}
 
 	selector = selector.Add(*exists)
diff --git a/pkg/api/allowed_list.go b/pkg/api/allowed_list.go
index 4e88f098..09c57a34 100644
--- a/pkg/api/allowed_list.go
+++ b/pkg/api/allowed_list.go
@@ -79,7 +79,7 @@ func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
 		ok = i < len(in.Exact) && in.Exact[i] == value
 	}
 
-	return
+	return ok
 }
 
 func (in *AllowedListSpec) RegexMatch(value string) (ok bool) {
@@ -87,7 +87,7 @@ func (in *AllowedListSpec) RegexMatch(value string) (ok bool) {
 		ok = regexp.MustCompile(in.Regex).MatchString(value)
 	}
 
-	return
+	return ok
 }
 
 // +kubebuilder:object:generate=true
diff --git a/pkg/api/forbidden_list.go b/pkg/api/forbidden_list.go
index cbac718f..da577ea5 100644
--- a/pkg/api/forbidden_list.go
+++ b/pkg/api/forbidden_list.go
@@ -35,7 +35,7 @@ func (in ForbiddenListSpec) ExactMatch(value string) (ok bool) {
 		ok = i < len(in.Exact) && in.Exact[i] == value
 	}
 
-	return
+	return ok
 }
 
 func (in ForbiddenListSpec) RegexMatch(value string) (ok bool) {
@@ -43,7 +43,7 @@ func (in ForbiddenListSpec) RegexMatch(value string) (ok bool) {
 		ok = regexp.MustCompile(in.Regex).MatchString(value)
 	}
 
-	return
+	return ok
 }
 
 type ForbiddenError struct {
@@ -76,7 +76,7 @@ func (f *ForbiddenError) appendForbiddenError() (append string) {
 		append += fmt.Sprintf("matching the regex %s", f.spec.Regex)
 	}
 
-	return
+	return append
 }
 
 func ValidateForbidden(metadata map[string]string, forbiddenList ForbiddenListSpec) error {
diff --git a/pkg/cert/ca.go b/pkg/cert/ca.go
index 4f2dfeae..f5861a93 100644
--- a/pkg/cert/ca.go
+++ b/pkg/cert/ca.go
@@ -46,7 +46,7 @@ func (c CapsuleCA) CACertificatePem() (b *bytes.Buffer, err error) {
 
 	crtBytes, err = x509.CreateCertificate(rand.Reader, c.certificate, c.certificate, &c.key.PublicKey, c.key)
 	if err != nil {
-		return
+		return b, err
 	}
 
 	b = new(bytes.Buffer)
@@ -111,7 +111,7 @@ func GenerateCertificateAuthority() (s *CapsuleCA, err error) {
 		return nil, err
 	}
 
-	return
+	return s, err
 }
 
 func GetCertificateFromBytes(certBytes []byte) (*x509.Certificate, error) {
@@ -144,7 +144,6 @@ func GetCertificateWithPrivateKeyFromBytes(certBytes, keyBytes []byte) (*x509.Ce
 	return cert, key, nil
 }
 
-//nolint:nakedret
 func (c *CapsuleCA) GenerateCertificate(opts CertificateOptions) (certificatePem *bytes.Buffer, certificateKey *bytes.Buffer, err error) {
 	var certPrivKey *rsa.PrivateKey
 
@@ -185,7 +184,7 @@ func (c *CapsuleCA) GenerateCertificate(opts CertificateOptions) (certificatePem
 		Bytes: certBytes,
 	})
 	if err != nil {
-		return
+		return certificatePem, certificateKey, err
 	}
 
 	certificateKey = new(bytes.Buffer)
@@ -195,8 +194,8 @@ func (c *CapsuleCA) GenerateCertificate(opts CertificateOptions) (certificatePem
 		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
 	})
 	if err != nil {
-		return
+		return certificatePem, certificateKey, err
 	}
 
-	return
+	return certificatePem, certificateKey, err
 }
diff --git a/pkg/configuration/client.go b/pkg/configuration/client.go
index 8b507a3d..48211528 100644
--- a/pkg/configuration/client.go
+++ b/pkg/configuration/client.go
@@ -36,6 +36,7 @@ func NewCapsuleConfiguration(ctx context.Context, client client.Client, name str
 					},
 				}
 			}
+
 			panic(errors.Wrap(err, "Cannot retrieve Capsule configuration with name "+name))
 		}
 
diff --git a/pkg/indexer/ingress/hostname_path.go b/pkg/indexer/ingress/hostname_path.go
index 3ec6cf4c..d704927f 100644
--- a/pkg/indexer/ingress/hostname_path.go
+++ b/pkg/indexer/ingress/hostname_path.go
@@ -50,6 +50,6 @@ func (s HostnamePath) Func() client.IndexerFunc {
 			}
 		}
 
-		return
+		return entries
 	}
 }
diff --git a/pkg/utils/owner.go b/pkg/utils/owner.go
index bcdcbdf5..bae1d599 100644
--- a/pkg/utils/owner.go
+++ b/pkg/utils/owner.go
@@ -14,5 +14,5 @@ func GetOwnersWithKinds(tenant *capsulev1beta2.Tenant) (owners []string) {
 		owners = append(owners, fmt.Sprintf("%s:%s", owner.Kind.String(), owner.Name))
 	}
 
-	return
+	return owners
 }
diff --git a/pkg/utils/tenant_labels.go b/pkg/utils/tenant_labels.go
index 840687c8..00053794 100644
--- a/pkg/utils/tenant_labels.go
+++ b/pkg/utils/tenant_labels.go
@@ -37,5 +37,5 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
 
-	return
+	return label, err
 }
diff --git a/pkg/utils/user_group.go b/pkg/utils/user_group.go
index aed5045a..2ffc90e4 100644
--- a/pkg/utils/user_group.go
+++ b/pkg/utils/user_group.go
@@ -30,5 +30,5 @@ func (u userGroupList) Find(needle string) (found bool) {
 
 	found = i < len(u) && u[i] == needle
 
-	return
+	return found
 }
diff --git a/pkg/webhook/ingress/errors.go b/pkg/webhook/ingress/errors.go
index 6c50d25c..c20e9b9b 100644
--- a/pkg/webhook/ingress/errors.go
+++ b/pkg/webhook/ingress/errors.go
@@ -112,5 +112,5 @@ func appendHostnameError(spec api.AllowedListSpec) (append string) {
 		append += fmt.Sprintf(", or matching the regex %s", spec.Regex)
 	}
 
-	return
+	return append
 }
diff --git a/pkg/webhook/ingress/types.go b/pkg/webhook/ingress/types.go
index 4b8447d0..a31920be 100644
--- a/pkg/webhook/ingress/types.go
+++ b/pkg/webhook/ingress/types.go
@@ -43,7 +43,7 @@ func (n NetworkingV1) IngressClass() (res *string) {
 		}
 	}
 
-	return
+	return res
 }
 
 func (n NetworkingV1) SetIngressClass(ingressClassName string) {
@@ -113,7 +113,7 @@ func (n NetworkingV1Beta1) IngressClass() (res *string) {
 		}
 	}
 
-	return
+	return res
 }
 
 func (n NetworkingV1Beta1) SetIngressClass(ingressClassName string) {
@@ -187,7 +187,7 @@ func (e Extension) IngressClass() (res *string) {
 		}
 	}
 
-	return
+	return res
 }
 
 func (e Extension) SetIngressClass(ingressClassName string) {
@@ -252,5 +252,5 @@ func (h HostnamesList) IsStringInList(value string) (ok bool) {
 	i := sort.SearchStrings(h, value)
 	ok = i < h.Len() && h[i] == value
 
-	return
+	return ok
 }
diff --git a/pkg/webhook/ingress/utils.go b/pkg/webhook/ingress/utils.go
index 4ce21d52..0b36f880 100644
--- a/pkg/webhook/ingress/utils.go
+++ b/pkg/webhook/ingress/utils.go
@@ -38,7 +38,7 @@ func FromRequest(req admission.Request, decoder admission.Decoder) (ingress Ingr
 		if req.Kind.Version == "v1" {
 			ingressObj := &networkingv1.Ingress{}
 			if err = decoder.Decode(req, ingressObj); err != nil {
-				return
+				return ingress, err
 			}
 
 			ingress = NetworkingV1{Ingress: ingressObj}
@@ -48,14 +48,14 @@ func FromRequest(req admission.Request, decoder admission.Decoder) (ingress Ingr
 
 		ingressObj := &networkingv1beta1.Ingress{}
 		if err = decoder.Decode(req, ingressObj); err != nil {
-			return
+			return ingress, err
 		}
 
 		ingress = NetworkingV1Beta1{Ingress: ingressObj}
 	case "extensions":
 		ingressObj := &extensionsv1beta1.Ingress{}
 		if err = decoder.Decode(req, ingressObj); err != nil {
-			return
+			return ingress, err
 		}
 
 		ingress = Extension{Ingress: ingressObj}
@@ -63,5 +63,5 @@ func FromRequest(req admission.Request, decoder admission.Decoder) (ingress Ingr
 		err = fmt.Errorf("cannot recognize type %s", req.Kind.Group)
 	}
 
-	return
+	return ingress, err
 }
diff --git a/pkg/webhook/namespace/mutation/utils.go b/pkg/webhook/namespace/mutation/utils.go
index e48c813b..022d1e78 100644
--- a/pkg/webhook/namespace/mutation/utils.go
+++ b/pkg/webhook/namespace/mutation/utils.go
@@ -227,7 +227,7 @@ func resolveServiceAccountActor(
 ) (tnt *capsulev1beta2.Tenant, err error) {
 	parts := strings.Split(userInfo.Username, ":")
 	if len(parts) != 4 {
-		return
+		return tnt, err
 	}
 
 	namespace, saName := parts[2], parts[3]
@@ -235,28 +235,28 @@ func resolveServiceAccountActor(
 	sa := &corev1.ServiceAccount{}
 	if err = clt.Get(ctx, client.ObjectKey{Namespace: namespace, Name: saName}, sa); err != nil {
 		if apierrors.IsNotFound(err) {
-			return
+			return tnt, err
 		}
 
-		return
+		return tnt, err
 	}
 
 	if meta.OwnerPromotionLabelTriggers(ns) {
-		return
+		return tnt, err
 	}
 
 	tntList := &capsulev1beta2.TenantList{}
 	if err = clt.List(ctx, tntList, client.MatchingFieldsSelector{
 		Selector: fields.OneTermEqualSelector(".status.namespaces", namespace),
 	}); err != nil {
-		return
+		return tnt, err
 	}
 
 	if len(tntList.Items) > 0 {
 		tnt = &tntList.Items[0]
 	}
 
-	return
+	return tnt, err
 }
 
 func validateNamespacePrefix(ns *corev1.Namespace, tenant *capsulev1beta2.Tenant) bool {
diff --git a/pkg/webhook/networkpolicy/validating.go b/pkg/webhook/networkpolicy/validating.go
index 62fdffea..ffac96ca 100644
--- a/pkg/webhook/networkpolicy/validating.go
+++ b/pkg/webhook/networkpolicy/validating.go
@@ -73,7 +73,7 @@ func (r *handler) handle(ctx context.Context, req admission.Request, client clie
 
 	objectLabel, err := capsuleutils.GetTypeLabel(&networkingv1.NetworkPolicy{})
 	if err != nil {
-		return
+		return allowed, err
 	}
 
 	labels := np.GetLabels()
@@ -81,5 +81,5 @@ func (r *handler) handle(ctx context.Context, req admission.Request, client clie
 		allowed = false
 	}
 
-	return
+	return allowed, err
 }
diff --git a/pkg/webhook/node/errors.go b/pkg/webhook/node/errors.go
index 7afe35e8..b32c57ad 100644
--- a/pkg/webhook/node/errors.go
+++ b/pkg/webhook/node/errors.go
@@ -24,7 +24,7 @@ func appendForbiddenError(spec *capsulev1beta2.ForbiddenListSpec) (append string
 		append += fmt.Sprintf("matching the regex %s", spec.Regex)
 	}
 
-	return
+	return append
 }
 
 type nodeLabelForbiddenError struct {
diff --git a/pkg/webhook/pod/containerregistry_errors.go b/pkg/webhook/pod/containerregistry_errors.go
index 144b37a4..fca8d99c 100644
--- a/pkg/webhook/pod/containerregistry_errors.go
+++ b/pkg/webhook/pod/containerregistry_errors.go
@@ -49,5 +49,5 @@ func (f registryClassForbiddenError) Error() (err string) {
 
 	err += strings.Join(extra, " or ")
 
-	return
+	return err
 }
diff --git a/pkg/webhook/tenant/custom_resource_quota.go b/pkg/webhook/tenant/custom_resource_quota.go
index 13c98beb..d5b543e4 100644
--- a/pkg/webhook/tenant/custom_resource_quota.go
+++ b/pkg/webhook/tenant/custom_resource_quota.go
@@ -102,15 +102,15 @@ func (r *resourceCounterHandler) OnDelete(clt client.Client, _ admission.Decoder
 		err = retry.RetryOnConflict(retry.DefaultRetry, func() (retryErr error) {
 			tnt := &capsulev1beta2.Tenant{}
 			if retryErr = clt.Get(ctx, types.NamespacedName{Name: tntName}, tnt); err != nil {
-				return
+				return retryErr
 			}
 
 			if tnt.Annotations == nil {
-				return
+				return retryErr
 			}
 
 			if _, ok := tnt.Annotations[capsulev1beta2.UsedAnnotationForResource(kgv)]; !ok {
-				return
+				return retryErr
 			}
 
 			used, _ := capsulev1beta2.GetUsedResourceFromTenant(*tnt, kgv)