Update Go/Kubernetes dependencies and pin kind for Kubernetes 1.36 CI

.github/workflows/k8s-matrix.yaml

@@ -41,6 +41,7 @@ jobs:
       fail-fast: false
       matrix:
         matrixName:
+          - v1.36
           - v1.35
           - v1.34
           - v1.33
@@ -49,16 +50,22 @@ jobs:
           - v1.30
           - v1.29
         include:
+          # These top matrix entries use node images published with kind v0.32.0,
+          # keeping CI coverage aligned with the locally pinned kind binary.
+          - matrixName: v1.36
+            k8s: kindest/node:v1.36.1@sha256:3489c7674813ba5d8b1a9977baea8a6e553784dab7b84759d1014dbd78f7ebd5
+            kindCommand: kind-calico
+            runNetTests: true
           - matrixName: v1.35
-            k8s: kindest/node:v1.35.0@sha256:452d707d4862f52530247495d180205e029056831160e22870e37e3f6c1ac31f
+            k8s: kindest/node:v1.35.5@sha256:ce977ae6d65918d0b58a5f8b5e940429c2ce42fa3a5619ec2bbc60b949c0ac95
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.34
-            k8s: kindest/node:v1.34.0@sha256:7416a61b42b1662ca6ca89f02028ac133a309a2a30ba309614e8ec94d976dc5a
+            k8s: kindest/node:v1.34.8@sha256:02722c2dedddcfc00febf5d27fbeb9b7b2c14294c82109ff4a85d89ac9ba3256
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.33
-            k8s: kindest/node:v1.33.4@sha256:25a6018e48dfcaee478f4a59af81157a437f15e6e140bf103f85a2e7cd0cbbf2
+            k8s: kindest/node:v1.33.12@sha256:3f5c8443c620245e4d355cfe09e96a91ead32ceaa569d3f1ca9edf0cb2fe2ff4
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.32

.go-version

@@ -1 +1 @@
-1.26.3
+1.26.4

Makefile

@@ -2225,30 +2225,55 @@ create-ssl-secrets: $(BUILD_OUTPUT)/certs
 ##@ KinD
 
 KIND_CLUSTER   ?= operator
-KIND_IMAGE     ?= "kindest/node:v1.35.0@sha256:452d707d4862f52530247495d180205e029056831160e22870e37e3f6c1ac31f"
+KIND_VERSION   ?= v0.32.0
+# Kind v0.32.0 is pinned with the v1.36.1 node image because the release updates
+# containerd handling; using the matching CLI keeps image loading reliable.
+KIND           = $(TOOLS_BIN)/kind
+KIND_IMAGE     ?= "kindest/node:v1.36.1@sha256:3489c7674813ba5d8b1a9977baea8a6e553784dab7b84759d1014dbd78f7ebd5"
 CALICO_TIMEOUT ?= 300s
 KIND_SCRIPTS   := $(SCRIPTS_DIR)/kind
 KIND_CONFIG    ?= $(KIND_SCRIPTS)/kind-config.yaml
 
+# ----------------------------------------------------------------------------------------------------------------------
+# Install Kind
+# ----------------------------------------------------------------------------------------------------------------------
+.PHONY: kind-install $(TOOLS_BIN)/kind
+kind-install: $(TOOLS_BIN)/kind ## Install the pinned KinD CLI version used by local and CI clusters
+	$(KIND) version
+
+$(TOOLS_BIN)/kind:
+	mkdir -p $(TOOLS_BIN) || true
+	if ! test -x $(KIND) || ! $(KIND) version | grep -q "$(KIND_VERSION)"; then \
+		case "$(UNAME_S)-$(UNAME_M)" in \
+			Darwin-x86_64) kind_asset=kind-darwin-amd64 ;; \
+			Darwin-arm64) kind_asset=kind-darwin-arm64 ;; \
+			Linux-x86_64) kind_asset=kind-linux-amd64 ;; \
+			Linux-aarch64|Linux-arm64) kind_asset=kind-linux-arm64 ;; \
+			*) echo "Unsupported platform for kind: $(UNAME_S)-$(UNAME_M)" >&2; exit 1 ;; \
+		esac; \
+		curl -Lsf "https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/$${kind_asset}" -o $(KIND); \
+		chmod +x $(KIND); \
+	fi
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Start a Kind cluster
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: kind
-kind:   ## Run a default KinD cluster
-	kind create cluster --name $(KIND_CLUSTER) --wait 10m --config $(KIND_CONFIG) --image $(KIND_IMAGE)
+kind: kind-install  ## Run a default KinD cluster
+	$(KIND) create cluster --name $(KIND_CLUSTER) --wait 10m --config $(KIND_CONFIG) --image $(KIND_IMAGE)
 	$(KIND_SCRIPTS)/kind-label-node.sh
 
 .PHONY: kind-dual
-kind-dual:   ## Run a KinD cluster configured for a dual stack IPv4 and IPv6 network
-	kind create cluster --name $(KIND_CLUSTER) --wait 10m --config $(KIND_SCRIPTS)/kind-config-dual.yaml --image $(KIND_IMAGE)
+kind-dual: kind-install  ## Run a KinD cluster configured for a dual stack IPv4 and IPv6 network
+	$(KIND) create cluster --name $(KIND_CLUSTER) --wait 10m --config $(KIND_SCRIPTS)/kind-config-dual.yaml --image $(KIND_IMAGE)
 	$(KIND_SCRIPTS)/kind-label-node.sh
 
 # ----------------------------------------------------------------------------------------------------------------------
 # Start a Kind cluster
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: kind-single-worker
-kind-single-worker:   ## Run a KinD cluster with a single worker node
-	kind create cluster --name $(KIND_CLUSTER) --wait 10m --config $(KIND_SCRIPTS)/kind-config-single.yaml --image $(KIND_IMAGE)
+kind-single-worker: kind-install  ## Run a KinD cluster with a single worker node
+	$(KIND) create cluster --name $(KIND_CLUSTER) --wait 10m --config $(KIND_SCRIPTS)/kind-config-single.yaml --image $(KIND_IMAGE)
 	$(KIND_SCRIPTS)/kind-label-node.sh
 
 # ----------------------------------------------------------------------------------------------------------------------
@@ -2258,8 +2283,8 @@ CALICO_VERSION ?= v3.30.0
 
 .PHONY: kind-calico
 kind-calico: export KIND_CONFIG=$(KIND_SCRIPTS)/kind-config-calico.yaml
-kind-calico:   ## Run a KinD cluster with Calico
-	kind create cluster --name $(KIND_CLUSTER) --config $(KIND_SCRIPTS)/kind-config-calico.yaml --image $(KIND_IMAGE)
+kind-calico: kind-install  ## Run a KinD cluster with Calico
+	$(KIND) create cluster --name $(KIND_CLUSTER) --config $(KIND_SCRIPTS)/kind-config-calico.yaml --image $(KIND_IMAGE)
 	$(KIND_SCRIPTS)/kind-label-node.sh
 	$(KUBECTL_CMD) apply -f $(SCRIPTS_DIR)/calico/calico-$(CALICO_VERSION).yaml
 	$(KUBECTL_CMD) -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
@@ -2271,43 +2296,43 @@ kind-calico:   ## Run a KinD cluster with Calico
 # Stop and delete the Kind cluster
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: kind-stop
-kind-stop:   ## Stop and delete the KinD cluster named "$(KIND_CLUSTER)"
-	kind delete cluster --name $(KIND_CLUSTER)
+kind-stop: kind-install  ## Stop and delete the KinD cluster named "$(KIND_CLUSTER)"
+	$(KIND) delete cluster --name $(KIND_CLUSTER)
 
 # ----------------------------------------------------------------------------------------------------------------------
 # Load images into Kind
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: kind-load
-kind-load: kind-load-operator kind-load-coherence  ## Load all images into the KinD cluster
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_CLIENT) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_HELIDON) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_HELIDON_3) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_HELIDON_2) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_FAT) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_2) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_FAT_2) || true
+kind-load: kind-install kind-load-operator kind-load-coherence  ## Load all images into the KinD cluster
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_CLIENT) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_HELIDON) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_HELIDON_3) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_HELIDON_2) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_FAT) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_2) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_FAT_2) || true
 ifneq (true,$(SKIP_SPRING_CNBP))
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_CNBP) || true
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_CNBP_2) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_CNBP) || true
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_APPLICATION_IMAGE_SPRING_CNBP_2) || true
 endif
 
 .PHONY: kind-load-coherence
-kind-load-coherence:   ## Load the Coherence image into the KinD cluster
+kind-load-coherence: kind-install  ## Load the Coherence image into the KinD cluster
 	$(DOCKER_CMD) pull $(COHERENCE_IMAGE)
-	kind load docker-image --name $(KIND_CLUSTER) $(COHERENCE_IMAGE)
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(COHERENCE_IMAGE)
 
 .PHONY: kind-load-operator
-kind-load-operator:   ## Load the Operator images into the KinD cluster
-	kind load docker-image --name $(KIND_CLUSTER) $(OPERATOR_IMAGE) || true
+kind-load-operator: kind-install  ## Load the Operator images into the KinD cluster
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(OPERATOR_IMAGE) || true
 
 # ----------------------------------------------------------------------------------------------------------------------
 # Load compatibility images into Kind
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: kind-load-compatibility
-kind-load-compatibility:   ## Load the compatibility test images into the KinD cluster
-	kind load docker-image --name $(KIND_CLUSTER) $(TEST_COMPATIBILITY_IMAGE) || true
+kind-load-compatibility: kind-install  ## Load the compatibility test images into the KinD cluster
+	$(KIND) load docker-image --name $(KIND_CLUSTER) $(TEST_COMPATIBILITY_IMAGE) || true
 
 # ======================================================================================================================
 # Targets related to running k3d clusters

README.md

@@ -71,7 +71,7 @@ Please consult the [security guide](./SECURITY.md) for our responsible security
 
 ## License
 
-Copyright (c) 2019, 2025 Oracle and/or its affiliates.
+Copyright (c) 2019, 2026 Oracle and/or its affiliates.
 
 *Replace this statement if your project is not licensed under the UPL*
 

docs/about/04_coherence_spec.adoc

@@ -922,22 +922,32 @@ m| enabled | Enabled is a boolean flag indicating whether enables or disables SS
 m| secrets | Secrets is the name of the k8s secret containing the Java key stores and password files. +
   The secret should be in the same namespace as the Coherence resource. + +
   This value MUST be provided if SSL is enabled on the Coherence management over REST endpoint. + m| *string | false
-m| keyStore | Keystore is the name of the Java key store file in the k8s secret to use as the SSL keystore +
-  when configuring component over REST to use SSL. + m| *string | false
-m| keyStorePasswordFile | KeyStorePasswordFile is the name of the file in the k8s secret containing the keystore +
-  password when configuring component over REST to use SSL. + m| *string | false
-m| keyPasswordFile | KeyStorePasswordFile is the name of the file in the k8s secret containing the key +
-  password when configuring component over REST to use SSL. + m| *string | false
+m| keyStore | Keystore is the Java key store value used as the SSL keystore when configuring component +
+  over REST to use SSL. When Secrets is set this is a file name in that k8s secret; + +
+  without Secrets it is an explicit path in the container, which lets users provide + +
+  externally mounted stores without rewriting them as secret keys. + m| *string | false
+m| keyStorePasswordFile | KeyStorePasswordFile is the file containing the keystore password when configuring +
+  component over REST to use SSL. When Secrets is set this is a file name in that k8s + +
+  secret; without Secrets it is an explicit path in the container read by the + +
+  operator's FileBasedPasswordProvider. + m| *string | false
+m| keyPasswordFile | KeyPasswordFile is the file containing the key password when configuring component over +
+  REST to use SSL. When Secrets is set this is a file name in that k8s secret; without + +
+  Secrets it is an explicit path in the container read by the operator's + +
+  FileBasedPasswordProvider. + m| *string | false
 m| keyStoreAlgorithm | KeyStoreAlgorithm is the name of the keystore algorithm for the keystore in the k8s secret +
   used when configuring component over REST to use SSL. If not set the default is SunX509 + m| *string | false
 m| keyStoreProvider | KeyStoreProvider is the name of the keystore provider for the keystore in the k8s secret +
   used when configuring component over REST to use SSL. + m| *string | false
 m| keyStoreType | KeyStoreType is the name of the Java keystore type for the keystore in the k8s secret used +
   when configuring component over REST to use SSL. If not set the default is JKS. + m| *string | false
-m| trustStore | TrustStore is the name of the Java trust store file in the k8s secret to use as the SSL +
-  trust store when configuring component over REST to use SSL. + m| *string | false
-m| trustStorePasswordFile | TrustStorePasswordFile is the name of the file in the k8s secret containing the trust store +
-  password when configuring component over REST to use SSL. + m| *string | false
+m| trustStore | TrustStore is the Java trust store value used as the SSL trust store when configuring +
+  component over REST to use SSL. When Secrets is set this is a file name in that k8s + +
+  secret; without Secrets it is an explicit path in the container, which keeps trust-only + +
+  configurations independent from the keystore settings. + m| *string | false
+m| trustStorePasswordFile | TrustStorePasswordFile is the file containing the trust store password when configuring +
+  component over REST to use SSL. When Secrets is set this is a file name in that k8s + +
+  secret; without Secrets it is an explicit path in the container read by the + +
+  operator's FileBasedPasswordProvider. + m| *string | false
 m| trustStoreAlgorithm | TrustStoreAlgorithm is the name of the keystore algorithm for the trust store in the k8s +
   secret used when configuring component over REST to use SSL.  If not set the default is SunX509. + m| *string | false
 m| trustStoreProvider | TrustStoreProvider is the name of the keystore provider for the trust store in the k8s +

examples/095_network_policies/README.adoc

@@ -797,7 +797,6 @@ kubectl -n coherence apply -f examples/095_network_policies/manifests/allow-dns.
 kubectl -n coherence apply -f examples/095_network_policies/manifests/allow-k8s-api-server.yaml
 kubectl -n coherence apply -f examples/095_network_policies/manifests/allow-operator-cluster-member-egress.yaml
 kubectl -n coherence apply -f examples/095_network_policies/manifests/allow-operator-rest-ingress.yaml
-kubectl -n coherence apply -f examples/095_network_policies/manifests/allow-webhook-ingress-from-all.yaml
 
 kubectl -n coh-test apply -f examples/095_network_policies/manifests/allow-dns.yaml
 kubectl -n coh-test apply -f examples/095_network_policies/manifests/allow-cluster-member-access.yaml

examples/095_network_policies/add-operator-policies.sh

@@ -10,7 +10,8 @@ fi
 
 kubectl -n ${NAMESPACE} apply -f "${WORK_DIR}/manifests/deny-all.yaml"
 kubectl -n ${NAMESPACE} apply -f "${WORK_DIR}/manifests/allow-dns-kube-system.yaml"
+# The operator must keep API-server egress after deny-all is applied; otherwise
+# it cannot watch resources or become ready during the network policy tests.
 kubectl -n ${NAMESPACE} apply -f "${WORK_DIR}/manifests/allow-k8s-api-server.yaml"
-kubectl -n ${NAMESPACE} apply -f "${WORK_DIR}/manifests/allow-webhook-ingress-from-all.yaml"
 kubectl -n ${NAMESPACE} apply -f "${WORK_DIR}/manifests/allow-operator-rest-ingress.yaml"
 kubectl -n ${NAMESPACE} apply -f "${WORK_DIR}/manifests/allow-operator-cluster-member-egress.yaml"

examples/095_network_policies/manifests/allow-k8s-api-server.yaml

@@ -8,13 +8,16 @@ spec:
       app.kubernetes.io/name: coherence-operator
   policyTypes:
     - Egress
-    - Ingress
   egress:
+    # The test harness replaces these template IPs with the live API endpoint
+    # and service IP. Keep them host-scoped so Kubernetes 1.36 strict CIDR
+    # validation accepts the generated NetworkPolicy and the operator can
+    # reach the API server after deny-all egress is applied.
     - to:
         - ipBlock:
-            cidr: 172.18.0.2/24
+            cidr: 172.18.0.2/32
         - ipBlock:
-            cidr: 10.96.0.1/24
+            cidr: 10.96.0.1/32
       ports:
         - port: 6443
           protocol: TCP

examples/095_network_policies/remove-operator-policies.sh

@@ -10,7 +10,8 @@ fi
 
 kubectl -n ${NAMESPACE} delete -f "${WORK_DIR}/manifests/deny-all.yaml"
 kubectl -n ${NAMESPACE} delete -f "${WORK_DIR}/manifests/allow-dns-kube-system.yaml"
+# Keep this list aligned with add-operator-policies.sh so teardown only removes
+# policies that are still installed by the current examples.
 kubectl -n ${NAMESPACE} delete -f "${WORK_DIR}/manifests/allow-k8s-api-server.yaml"
-kubectl -n ${NAMESPACE} delete -f "${WORK_DIR}/manifests/allow-webhook-ingress-from-all.yaml"
 kubectl -n ${NAMESPACE} delete -f "${WORK_DIR}/manifests/allow-operator-rest-ingress.yaml"
 kubectl -n ${NAMESPACE} delete -f "${WORK_DIR}/manifests/allow-operator-cluster-member-egress.yaml"