Skip to content

Update Go/Kubernetes dependencies and pin kind for Kubernetes 1.36 CI#866

Merged
vasac merged 4 commits into
mainfrom
dev-june
Jun 24, 2026
Merged

Update Go/Kubernetes dependencies and pin kind for Kubernetes 1.36 CI#866
vasac merged 4 commits into
mainfrom
dev-june

Conversation

@vasac

@vasac vasac commented Jun 24, 2026

Copy link
Copy Markdown
Member

Summary

  • Update Go from 1.26.3 to 1.26.4 and refresh Go module dependencies, including Kubernetes libraries to v0.36.2.
  • Pin the kind CLI to v0.32.0 and use the matching Kubernetes v1.36.1 node image for local and CI kind clusters.
  • Add Kubernetes v1.36 coverage to the k8s matrix and refresh recent kind node images for v1.33-v1.35.
  • Fix network policy examples for Kubernetes 1.36 strict CIDR validation by using host-scoped /32 API server CIDRs.
  • Update management REST SSL documentation to clarify secret-backed file names versus explicit mounted file paths.

Details

The kind Makefile targets now install and use the project-pinned kind binary from build/tools/bin, avoiding reliance on the runner-provided kind version. This keeps kind load docker-image
behavior aligned with the newer node images used by local and CI test flows.

The network policy example now keeps the API server allow policy egress-only, removes stale webhook policy references, and generates canonical /32 CIDRs so Kubernetes 1.36 accepts the resulting
NetworkPolicy resources.

vasac added 4 commits June 24, 2026 17:42
@vasac
Update Go and dependency versions
3ae5eea
@vasac
Update kind to v0.32.0
5e7a736 
Pin the kind CLI instead of relying on the runner-provided binary.

kind v0.32.0 publishes the Kubernetes v1.36.1 node image and also updates containerd handling. The release notes state that newly published node images require kind v0.32.0+ for kind load to work reliably. This project uses kind load docker-image in CI and local test flows, so the kind binary and the default node image need to be kept in sync.

Previously the Makefile used whatever kind happened to be on PATH, which made CI depend on the GitHub runner image. Installing the pinned binary under build/tools/bin makes the behavior reproducible and prevents an older ambient kind binary from being used with newer node images.
@vasac
Fix v1.36 network policy CI failure
06a36d3 
Kubernetes 1.36 rejects generated NetworkPolicy ipBlock CIDRs such as 172.18.0.3/24 because strict CIDR validation requires canonical network addresses. Use host-scoped /32 CIDRs for the API server endpoint and service IP so the operator-to-apiserver-egress policy applies after deny-all is installed.

Also make the API-server policy egress-only and remove stale allow-webhook-ingress-from-all references left after webhook removal.
@vasac
Update docs
deaf343
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jun 24, 2026
@vasac vasac requested a review from fryp June 24, 2026 17:50
@vasac vasac merged commit 16caa32 into main Jun 24, 2026
80 of 85 checks passed
@vasac vasac deleted the dev-june branch June 24, 2026 18:57
@sonarqubecloud

sonarqubecloud Bot commented Jun 24, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fryp fryp fryp approved these changes

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vasac @fryp