2048 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Qing Hao	c57c33d4f8	fix: replace broken kubebuilder-tools download with setup-envtest (#1383) ... 🤖 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Qing Hao <qhao@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>	2026-02-12 06:58:25 +00:00
dependabot[bot]	8f6af466dd	🌱 Bump github.com/aws/aws-sdk-go-v2/service/eks (#1379) ... Bumps the aws group with 1 update: [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.77.1 to 1.78.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.77.1...service/s3/v1.78.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/eks dependency-version: 1.78.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-11 02:16:00 +00:00
dependabot[bot]	f30dac91f9	🌱 Bump the github-actions group with 2 updates (#1377) ... Bumps the github-actions group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner) and [github/codeql-action](https://github.com/github/codeql-action). Updates `step-security/harden-runner` from 2.14.1 to 2.14.2 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](e3f713f2d8...5ef0c079ce) Updates `github/codeql-action` from 4.32.0 to 4.32.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](b20883b0cd...45cbd0c69e) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.14.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.32.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-11 02:13:16 +00:00
Wei Liu	109bde1f93	increase the test timeout to avoid flaky test (#1378) ... Signed-off-by: Wei Liu <liuweixa@redhat.com>	2026-02-10 06:31:23 +00:00
dependabot[bot]	fd6a0aaa1e	🌱 Bump github.com/aws/aws-sdk-go-v2/service/eks (#1374) ... Bumps the aws group with 1 update: [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.77.0 to 1.77.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.77.0...service/s3/v1.77.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/eks dependency-version: 1.77.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-05 12:30:33 +00:00
dependabot[bot]	89c1d5f83d	🌱 Bump github.com/onsi/gomega from 1.39.0 to 1.39.1 (#1372) ... Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.39.0 to 1.39.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.39.0...v1.39.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-04 02:35:40 +00:00
dependabot[bot]	14b132a42e	🌱 Bump github/codeql-action in the github-actions group (#1370) ... Bumps the github-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 4.31.11 to 4.32.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](19b2f06db2...b20883b0cd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-04 02:32:50 +00:00
Jian Zhu	493ad777b3	✨ Add e2e test for token-based authentication with template addons (#1368) ... * ✨ Add e2e test for token-based authentication with template addons This test validates the token-based authentication feature for template addons introduced in PR #1363. It tests the complete authentication lifecycle including switching between token and CSR authentication modes. Test Flow: 1. Enable token-based authentication for addons on klusterlet 2. Deploy template addon and verify it uses token auth 3. Validate token field exists in hub kubeconfig secret 4. Test addon functionality with token authentication 5. Switch back to CSR-based authentication 6. Verify hub kubeconfig now uses client certificates 7. Test addon functionality with CSR authentication 8. Cleanup all resources Key Features: - Comprehensive validation of both token and CSR authentication - No manual CSR approval needed (auto-approved by system) - Works independently of klusterlet registration driver (grpc/csr) - Uses label "addon-token-auth" for selective test execution 🤖 Generated with Claude Code https://claude.com/claude-code Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> * ♻️ Refactor addon token auth test to use BeforeAll/AfterAll hooks Move klusterlet configuration save/restore logic from defer in test function to BeforeAll/AfterAll hooks for better test structure and isolation. Changes: - Save original klusterlet configuration in BeforeAll before any setup - Configure token auth for klusterlet in BeforeAll - Restore original configuration in AfterAll after cleanup - Remove redundant Steps 9-12 (CSR auth switch back) - Renumber remaining steps from 1-10 - Remove unused strings import This ensures the klusterlet's original AddOnKubeClientRegistrationDriver is preserved for other tests and provides clearer separation of test setup/teardown from test logic. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: zhujian <jiazhu@redhat.com> * ✅ Wait for registration agent rollout before proceeding in token auth test Add explicit wait for registration agent deployment to fully rollout after token authentication configuration is applied. This ensures all replicas are updated and ready before proceeding with the test, preventing race conditions. The wait validates: - ObservedGeneration matches current generation - All replicas are updated with new configuration - All replicas are ready and available 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> * ✨ Add deployment generation check to ensure token auth rollout Capture the registration agent deployment generation before updating the klusterlet configuration, then wait for it to increment after the update. This ensures the test waits for the actual new deployment with token auth configuration, not an old one with CSR-based auth. Changes: - Capture initial deployment generation before klusterlet update - Calculate deployment name once based on Singleton vs Default mode - Wait for deployment generation to increment after config change - Verify deployment has fully rolled out with all pods updated and ready This prevents race conditions where the test proceeds while old pods with the previous CSR-based configuration are still running, which was likely causing CI failures. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: zhujian <jiazhu@redhat.com> * ✨ Add support for hosted mode in addon token auth test This commit adds proper support for hosted mode deployment in the addon token authentication e2e test. In hosted mode, the agent deployments run on the hub cluster instead of the spoke cluster, and the agent namespace is named after the klusterlet name rather than using a fixed namespace. Key changes: - Check for both InstallModeHosted and InstallModeSingletonHosted modes - Use hub.KubeClient instead of spoke.KubeClient in hosted mode - Use klusterlet.Name as agentNamespace in hosted mode - Support InstallModeSingletonHosted for deployment naming This ensures the test works correctly in all deployment modes: Default, Singleton, Hosted, and SingletonHosted. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> --------- Signed-off-by: zhujian <jiazhu@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-04 00:19:53 +00:00
dependabot[bot]	75be5e58a0	🌱 Bump github.com/onsi/ginkgo/v2 from 2.27.5 to 2.28.1 (#1369) ... Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.27.5 to 2.28.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.27.5...v2.28.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.28.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-02 14:09:31 +00:00
dependabot[bot]	ba93ea3c02	🌱 Bump github.com/google/cel-go from 0.26.1 to 0.27.0 (#1366) ... Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.26.1 to 0.27.0. - [Release notes](https://github.com/google/cel-go/releases) - [Commits](https://github.com/google/cel-go/compare/v0.26.1...v0.27.0) --- updated-dependencies: - dependency-name: github.com/google/cel-go dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-02 06:30:30 +00:00
Jian Zhu	7323d2047a	✨ Support token-based authentication for template addons (#1363) ... * ✨ Support token-based authentication for template addons This change enables template type addons to work with both CSR-based and token-based authentication through dynamic subject binding. Changes: - Modified createPermissionBinding() to extract dynamic subjects from addon.Status.Registrations instead of using hardcoded groups - Added buildSubjectsFromRegistration() helper to extract user/groups from registration status - Returns SubjectNotReadyError when subjects not ready (enables retry) - Removed clusterAddonGroup() function (no longer needed) - Updated addon-framework dependency to v1.2.0 for SubjectNotReadyError - Added comprehensive tests for buildSubjectsFromRegistration - Updated test helpers to include registration status with proper subjects The implementation now supports: - CSR-based authentication (existing) - Token-based authentication (new) - Any future authentication method that populates Status.Registrations Related: 14af2a2eeb/enhancements/sig-architecture/167-token-based-addon-registration/README.md 🤖 Generated with Claude Code https://claude.com/claude-code Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> * test: add unit test for system:authenticated group filtering Add a test case to verify that buildSubjectsFromRegistration correctly filters out the system:authenticated group from the list of groups when building RBAC subjects. This covers the filtering logic in registration.go lines 560-562. Also update the expected groups in TestTemplateCSRConfigurationsFunc to match the implementation that includes both cluster-specific and addon-wide groups for token-based authentication. Signed-off-by: Claude <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> * feat: add addon-wide group and filter system:authenticated Add support for addon-wide group in defaultGroups() to support token-based authentication for template addons. This adds the system:open-cluster-management:addon:{addonName} group in addition to the cluster-specific group. Also add filtering logic in buildSubjectsFromRegistration() to exclude the system:authenticated group from RBAC subjects, as this is a special Kubernetes group automatically added to all authenticated users and should not be explicitly included in RoleBindings. Signed-off-by: Claude <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> * refactor: implement custom CSR approver with flexible org validation Replace addon-framework's DefaultCSRApprover with a custom implementation that supports both legacy and new CSR organization structures. Key changes: - Implement defaultCSRApprover function that accepts 2 or 3 organization units - 3 orgs: legacy behavior including system:authenticated group in CSRs - 2 orgs: new behavior where system:authenticated is filtered out - Add support for gRPC-based CSR requests by checking CSRUsernameAnnotation - Validate all required default addon groups are present in CSR - Add necessary imports: k8s.io/apimachinery/pkg/util/sets and operatorapiv1 This enables backward compatibility while supporting the new token-based authentication flow where system:authenticated is excluded from CSR orgs but included in registration configs. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> * refactor: use addon-framework's updated KubeClientSignerConfigurations Remove custom implementations and use addon-framework's native functions which now include system:authenticated group by default. Changes: - Remove custom kubeClientSignerConfigurations function - Remove custom defaultGroups function - Remove custom defaultCSRApprover function - Use agent.KubeClientSignerConfigurations from addon-framework - Use utils.DefaultCSRApprover from addon-framework - Remove unused imports: k8s.io/apimachinery/pkg/util/sets and operatorapiv1 The addon-framework has been updated to include system:authenticated in DefaultGroups(), eliminating the need for custom implementations. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: zhujian <jiazhu@redhat.com> --------- Signed-off-by: zhujian <jiazhu@redhat.com> Signed-off-by: Claude <noreply@anthropic.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> v1.2.0	2026-01-30 11:44:53 +00:00
Jian Qiu	b5e1bbf727	Bump api to v1.2.0 (#1361) ... Signed-off-by: Jian Qiu <jqiu@redhat.com>	2026-01-29 13:41:21 +00:00
Zhiwei Yin	4b9580954f	update operator csv (#1362) ... Signed-off-by: Zhiwei Yin <zyin@redhat.com>	2026-01-29 12:18:11 +00:00
Morven Cao	062ae225bb	🐛 enhance clusterprofile lifecycle controller (#1359) ... * check namespace existence and state in clusterprofile lifecycle controller. Signed-off-by: Morven Cao <lcao@redhat.com> * optimize the queue key and log for clusterprofile controller. Signed-off-by: Morven Cao <lcao@redhat.com> --------- Signed-off-by: Morven Cao <lcao@redhat.com>	2026-01-29 07:28:29 +00:00
Wei Liu	7bf9a4a919	only check the hub kubeconfig secret (#1360) ... Signed-off-by: Wei Liu <liuweixa@redhat.com>	2026-01-29 06:51:51 +00:00
Jian Qiu	63d9574ca2	✨ Add watch-based feedback with dynamic informer lifecycle management (#1350) ... * Add watch-based feedback with dynamic informer lifecycle management Implements dynamic informer registration and cleanup for resources configured with watch-based status feedback (FeedbackScrapeType=Watch). This enables real-time status updates for watched resources while efficiently managing resource lifecycle. Features: - Automatically register informers for resources with FeedbackWatchType - Skip informer registration for FeedbackPollType or when not configured - Clean up informers when resources are removed from manifestwork - Clean up informers during applied manifestwork finalization - Clean up informers when feedback type changes from watch to poll Implementation: - Refactored ObjectReader to interface for better modularity - Added UnRegisterInformerFromAppliedManifestWork helper for bulk cleanup - Enhanced AvailableStatusController to conditionally register informers - Updated finalization controllers to unregister informers on cleanup - Added nil safety checks to prevent panics during cleanup Testing: - Unit tests for informer registration based on feedback type - Unit tests for bulk unregistration and nil safety - Integration test for end-to-end watch-based feedback workflow - Integration test for informer cleanup on manifestwork deletion - All existing tests updated and passing This feature improves performance by using watch-based updates for real-time status feedback while maintaining efficient resource cleanup. Signed-off-by: Jian Qiu <jqiu@redhat.com> * Fallback to get from client when informer is not synced Signed-off-by: Jian Qiu <jqiu@redhat.com> --------- Signed-off-by: Jian Qiu <jqiu@redhat.com>	2026-01-29 06:46:21 +00:00
Yang Le	f2aa5d4d6a	skip importing terminating clusters (#1358) ... Signed-off-by: Yang Le <yangle@redhat.com>	2026-01-29 05:13:32 +00:00
Jian Qiu	2743547b40	Reduce logging level of DumpSecret to v(4) (#1357) ... It generates a lot of noises otherwise Signed-off-by: Jian Qiu <jqiu@redhat.com>	2026-01-29 04:28:42 +00:00
Mike Ng	4ec68fd389	docs: Update argocd-agent solution to use clusteradm (#1348) ... Signed-off-by: Mike Ng <ming@redhat.com>	2026-01-29 01:29:43 +00:00
Morven Cao	d1221c4a79	🌱 sync clusterprofile based on managedclusterset and managedclustersetbinding (#1351) ... * sync clusterprofile based on managedclusterset and managedclustersetbinding Co-authored-by: Claude <claude@anthropic.com> Signed-off-by: Morven Cao <lcao@redhat.com> * Refactor ClusterProfile controller into two separate controllers. Signed-off-by: Morven Cao <lcao@redhat.com> * address comments. Signed-off-by: Morven Cao <lcao@redhat.com> * fix lint issues. Signed-off-by: Morven Cao <lcao@redhat.com> * address comments. Signed-off-by: Morven Cao <lcao@redhat.com> * address comments. Signed-off-by: Morven Cao <lcao@redhat.com> --------- Signed-off-by: Morven Cao <lcao@redhat.com>	2026-01-28 15:37:46 +00:00
Yang Le	9d1a993e2c	✨ add token driver for addon registration (#1343) ... Signed-off-by: Yang Le <yangle@redhat.com>	2026-01-28 05:41:52 +00:00
Yang Le	f6dec25bdf	✨ add contoller to support token infrastructure (#1340) ... Signed-off-by: Yang Le <yangle@redhat.com>	2026-01-27 13:06:21 +00:00
Wei Liu	8fd640694e	enable grpc e2e (#1354) ... Signed-off-by: Wei Liu <liuweixa@redhat.com>	2026-01-27 10:26:32 +00:00
Yang Le	68ea574041	update klusterlet crd in chart (#1355) ... Signed-off-by: Yang Le <yangle@redhat.com>	2026-01-27 08:42:40 +00:00
dependabot[bot]	1e502b304e	🌱 Bump the github-actions group with 3 updates (#1353) ... Bumps the github-actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [step-security/harden-runner](https://github.com/step-security/harden-runner) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v6.0.1...v6.0.2) Updates `step-security/harden-runner` from 2.14.0 to 2.14.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](20cf305ff2...e3f713f2d8) Updates `github/codeql-action` from 4.31.10 to 4.31.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](cdefb33c0f...19b2f06db2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: step-security/harden-runner dependency-version: 2.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.31.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-27 01:55:12 +00:00
Yang Le	e421f20040	upgrade to the latest api (#1349) ... Signed-off-by: Yang Le <yangle@redhat.com>	2026-01-26 04:21:04 +00:00
Jian Qiu	9b010ef622	🌱 build object reader to get resource object from spoke (#1324) ... * A resource informer code to watch resources Signed-off-by: Jian Qiu <jqiu@redhat.com> * Use object reader in controller Signed-off-by: Jian Qiu <jqiu@redhat.com> --------- Signed-off-by: Jian Qiu <jqiu@redhat.com>	2026-01-23 07:32:13 +00:00
Wei Liu	5740147dba	add token request service (#1339) ... Signed-off-by: Wei Liu <liuweixa@redhat.com>	2026-01-20 03:19:41 +00:00
dependabot[bot]	5c7a219b0c	🌱 Bump github/codeql-action in the github-actions group (#1341) ... Bumps the github-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 4.31.9 to 4.31.10 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](5d4e8d1aca...cdefb33c0f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-19 14:41:28 +00:00
Zhiwei Yin	9a1e925112	ensure immediate requeue for transient errors when work spec is changed (#1335) ... Signed-off-by: Zhiwei Yin <zyin@redhat.com>	2026-01-19 07:57:39 +00:00
xuezhao	d83c822129	Add duplicate manifest detection in ManifestWork webhook validation (#1310) ... This commit adds validation to detect and reject duplicate manifests in ManifestWork resources. A manifest is considered duplicate when it has the same apiVersion, kind, namespace, and name as another manifest in the same ManifestWork. This prevents issues where duplicate manifests with different specs can cause state inconsistency, as the Work Agent applies manifests sequentially and later entries would overwrite earlier ones. The validation returns a clear error message indicating the duplicate manifest's index and the index of its first occurrence. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: xuezhaojun <zxue@redhat.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-19 06:09:25 +00:00
Yang Le	d165060162	🌱 upgrade addon API to include driver in addon status (#1336) ... Signed-off-by: Yang Le <yangle@redhat.com>	2026-01-19 04:26:49 +00:00
dependabot[bot]	7b92ecf129	🌱 Bump helm.sh/helm/v3 from 3.19.4 to 3.19.5 (#1333) ... Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.19.4 to 3.19.5. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.19.4...v3.19.5) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-version: 3.19.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-19 01:44:20 +00:00
Jian Zhu	c69a2586e5	fix: ensure immediate eviction after grace period expires (#1330) ... Fixed a bug where AppliedManifestWorks were not evicted immediately after the appliedmanifestwork-eviction-grace-period expired. Root cause: The controller used an exponential backoff rate limiter to schedule requeue delays, which caused: 1. Exponentially increasing delays during grace period (1min -> 2min -> 4min...) 2. Unpredictable delays after grace period expired Solution: Replace rate limiter with direct time calculation. Now the controller calculates the exact remaining time until eviction and schedules the next sync for that precise moment: remainingTime := evictionTime.Sub(now) Changes: - Removed rateLimiter field and workqueue import - Calculate exact remaining time instead of using exponential backoff - Added V(4) logging to show scheduled eviction time and remaining time - Updated unit test expectations (queue length 0 for delayed items) Impact: AppliedManifestWorks are now evicted immediately when the grace period expires, instead of being delayed by minutes due to exponential backoff. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: zhujian <jiazhu@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-16 09:48:50 +00:00
Anne Lau	4dc99cd621	Progressing status conditions, true wins (#1332) ... Signed-off-by: annelau <annelau@salesforce.com> Co-authored-by: annelau <annelau@salesforce.com>	2026-01-16 06:53:14 +00:00
dependabot[bot]	8029ed38eb	🌱 Bump github.com/aws/aws-sdk-go-v2/service/eks (#1331) ... Bumps the aws group with 1 update: [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.76.4 to 1.77.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/eks/v1.76.4...service/s3/v1.77.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/eks dependency-version: 1.77.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-15 14:21:21 +00:00
dependabot[bot]	4dba92e923	🌱 Bump github.com/onsi/ginkgo/v2 from 2.27.3 to 2.27.5 (#1329) ... Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.27.3 to 2.27.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.27.3...v2.27.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.27.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-13 14:12:33 +00:00
Zhiwei Yin	40de7f2ed1	refactor(registration): preserve ClusterRole/ClusterRoleBinding when managed cluster is denied (#1328) ... Refactored the removeClusterRbac function into separate functions to handle different RBAC resource cleanup scenarios: - removeClusterRBACResources: orchestrates full RBAC cleanup when cluster is deleted - removeClusterSpecificRBAC: removes ClusterRole and ClusterRoleBinding - removeClusterSpecificRoleBindings: removes registration and work RoleBindings When hubAcceptsClient is false (cluster denied), only RoleBindings are removed while ClusterRole and ClusterRoleBinding are preserved and updated. This ensures proper RBAC state for denied clusters without deleting cluster-scoped resources. Added unit test to verify that when a cluster is denied, only RoleBindings are deleted while ClusterRole and ClusterRoleBinding remain intact. Signed-off-by: Zhiwei Yin <zyin@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-13 10:16:00 +00:00
dependabot[bot]	021ceec923	🌱 Bump the aws group with 4 updates (#1327) ... Bumps the aws group with 4 updates: [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2` from 1.41.0 to 1.41.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.41.0...v1.41.1) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.6 to 1.32.7 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.32.6...v1.32.7) Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.76.3 to 1.76.4 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/eks/v1.76.3...service/eks/v1.76.4) Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.53.1 to 1.53.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.53.1...service/s3/v1.53.2) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/eks dependency-version: 1.76.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/iam dependency-version: 1.53.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 13:40:28 +00:00
Wei Liu	d5e677414c	add options to grpc broker (#1326) ... Signed-off-by: Wei Liu <liuweixa@redhat.com>	2026-01-12 12:50:14 +00:00
dependabot[bot]	532b09a440	🌱 Bump github.com/onsi/gomega from 1.38.3 to 1.39.0 (#1325) ... Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.38.3 to 1.39.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.38.3...v1.39.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 05:44:07 +00:00
Guilhem Lettron	ac5f34839d	feat(manager): implement import-renderers (#1317) ... Signed-off-by: Guilhem Lettron <glettron@akamai.com>	2026-01-09 07:38:35 +00:00
Qing Hao	c6aa931619	fix(addon): remove internal annotation from v1alpha1 after conversion (#1321) ... When converting ManagedClusterAddOn from v1beta1 to v1alpha1, the internal annotation 'addon.open-cluster-management.io/v1alpha1-install-namespace' should be removed after being converted to Spec.InstallNamespace field. This annotation is only used internally for v1beta1 storage to preserve the InstallNamespace field which was removed in v1beta1. It should not appear in v1alpha1 API responses. Fixes: ACM-28133 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Qing Hao <qhao@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-09 01:34:23 +00:00
Érico GR	ad89f05351	🐛 Fix work rolebinding cleanup when hubAcceptsClient is set to false (#1318) ... * Fix work rolebinding cleanup when hubAcceptsClient is set to false Signed-off-by: Erico G. Rimoli <erico.rimoli@totvs.com.br> * Adds error handling to the removeClusterRbac call within the controller synchronization function Signed-off-by: Erico G. Rimoli <erico.rimoli@totvs.com.br>	2026-01-08 13:46:13 +00:00
Qing Hao	8e401c34a9	chore: update dependencies to contain v1beta1 addondeploymentconfig api and sdk-go (#1315) ... 🤖 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Qing Hao <qhao@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>	2026-01-08 12:22:34 +00:00
Anne Lau	635b0ff7e9	PlacementRollout to reflect Ready status (#1281) ... Update with success count Remove status references Add unit tests Fix unit tests Update unit tests Test fix Fix tests for lastTransitionTime Fix integration tests Signed-off-by: annelau <annelau@salesforce.com> Co-authored-by: annelau <annelau@salesforce.com>	2026-01-08 01:53:14 +00:00
Carlos Cardeñosa	1b40e72e0b	Fix race condition: wait for CA bundle ConfigMap before applying CRDs (#1309) ... The cluster manager controller was silently using a literal "placeholder" string as the CA bundle when the ca-bundle-configmap ConfigMap didn't exist yet. This caused CRDs to be created with an invalid caBundle field (cGxhY2Vob2xkZXI= which is base64 of "placeholder"), resulting in: 1. CRD conversion webhooks failing with "InvalidCABundle" error 2. CRDs not becoming Established 3. API endpoints not being registered 4. Dependent components (like MultiClusterHub) failing with: "no matches for kind ClusterManagementAddOn" The bug was a race condition between the cert rotation controller (which creates the ca-bundle-configmap) and the cluster manager controller (which reads it). When the ConfigMap was not found, the code did "// do nothing" and silently continued with the placeholder value. This fix: 1. Creates the hub namespace FIRST (before waiting for the CA bundle) to allow the cert rotation controller to create the ca-bundle-configmap 2. Then waits for the CA bundle ConfigMap to exist before proceeding 3. Requeues via AddAfter if the ConfigMap is not found, allowing the controller to gracefully retry until the cert rotation controller has created it This ensures CRDs are always created with valid CA bundles while avoiding the deadlock where clusterManagerController waited for CA bundle but certRotationController needed the namespace first. Changes based on review feedback: - Use requeue (AddAfter) instead of returning error (@elgnay) - Use contextual logging instead of klog.V(4).Infof (@qiujian16) The issue was discovered in OpenShift CI Prow jobs for ZTP hub deployment: - https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-kni-eco-ci-cd-ztp-left-shifting-kpi-ci-4.21-telcov10n-virtualised-single-node-hub-ztp/2005051399989104640 - https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-kni-eco-ci-cd-ztp-left-shifting-kpi-ci-4.21-telcov10n-virtualised-single-node-hub-ztp/2005219283428184064 Affected versions: ACM 2.16.0-113/114, MCE 2.11.0-142/143 on OCP 4.21.0-rc.0 Signed-off-by: Carlos Cardenosa <ccardeno@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>	2026-01-07 14:35:55 +00:00
Jian Qiu	46de05b285	Upgrade clusterprofile API (#1316) ... Signed-off-by: Jian Qiu <jqiu@redhat.com>	2026-01-07 08:56:35 +00:00
Wei Liu	81eb7f54e6	disabel mqtt integration test (#1312) ... Signed-off-by: Wei Liu <liuweixa@redhat.com>	2026-01-07 06:50:05 +00:00
dependabot[bot]	754b91ffcc	🌱 Bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#1308) ... Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.77.0 to 1.78.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.77.0...v1.78.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.78.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-05 01:59:25 +00:00