Merge branch 'main' into feat/admission-log

.github/ISSUE_TEMPLATE/release.yaml

@@ -15,13 +15,6 @@ body:
     - patch
   validations:
     required: true
-- type: checkboxes
-  id: release_branch
-  attributes:
-    label: "**For major/minor releases** Create `release/<MAJOR>.<MINOR>.x` Branch"
-    options:
-      # This can be automated. https://github.com/Kong/kubernetes-ingress-controller/issues/3772 tracks this effort
-      - label: "Create the `release/<MAJOR>.<MINOR>.x` branch at the place where you want to branch of off main"
 - type: checkboxes
   id: prepare_release_branch
   attributes:
@@ -46,6 +39,13 @@ body:
       - label: Once the PR is merged (the `prepare-release/x.y.z` branch will get automatically removed), approve and merge the automatic backport PR and [initiate a release job](https://github.com/Kong/kubernetes-ingress-controller/actions/workflows/release.yaml) on the `main` branch for major or minor release, for patch use the release branch. Your tag must use `vX.Y.Z` format. Set `latest` to true if this is be the latest release. That should be the case if a new major.minor release is done or a patch release is done on the latest minor version.
       - label: CI will validate the requested version, build and push an image, and run tests against the image before finally creating a tag and publishing a release. If tests fail, CI will push the image but not the tag or release. Investigate the failure, correct it as needed, and start a new release job.
       - label: The release workflow ([.github/workflows/release.yaml](/Kong/kubernetes-ingress-controller/blob/main/.github/workflows/release.yaml)) will update the `latest` branch - if the released version was set to be `latest` - to the just released tag.
+- type: checkboxes
+  id: release_branch
+  attributes:
+    label: "**For major/minor releases** Create `release/<MAJOR>.<MINOR>.x` Branch"
+    options:
+      # This can be automated. https://github.com/Kong/kubernetes-ingress-controller/issues/3772 tracks this effort
+      - label: "Create the `release/<MAJOR>.<MINOR>.x` branch at the place where you want to branch of off main. It should be done after the release workflow has run successfully."
 - type: checkboxes
   id: release_documents
   attributes:
@@ -68,13 +68,21 @@ body:
   attributes:
     label: "**For major/minor releases only** Bump charts' dependencies"
     options:
-      - label: Bump the KIC version in the [`kong/kong` Helm chart](https://github.com/Kong/charts/blob/main/charts/kong/values.yaml#L528) and release a new version of the chart.
+      - label: Synchronize `config/crd/bases` with [`kong/kong` charts CRDs][https://github.com/Kong/charts/blob/6c1421bf2f4/charts/kong/crds/custom-resource-definitions.yaml]
+      - label: Update RBAC policy rules (`kong.kubernetesRBACRules` template) in [`kong/kong`'s `charts/kong/templates`][https://github.com/Kong/charts/blob/0b1f635f180220f86d17f5b1b4dd60fc0dc35aae/charts/kong/templates/_helpers.tpl#L1292].
+      - label: Bump the KIC version in the [`kong/kong` Helm chart](https://github.com/Kong/charts/blob/main/charts/kong/values.yaml#L528).
+      - label: Release new version of the `kong/kong` Helm chart.
       - label: After `kong/kong` is released, bump the dependency on `kong/kong` chart in the [`kong/ingress` Helm chart](https://github.com/Kong/charts/blob/main/charts/ingress/Chart.yaml#L15) and release a new version of the chart.
 - type: textarea
   id: conformance_tests_report
   attributes:
     label: Conformance tests report
-    value: Trigger for released version CI workflow [Generate Kubernetes Gateway API conformance tests report](https://github.com/Kong/kubernetes-ingress-controller/actions/workflows/conformance_tests_report.yaml), verify artifact and submit it to https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports. It's still in experimental phase. Update the KIC version in the README's Gateway API conformance badge.
+    value: Trigger for released version CI workflow [Generate Kubernetes Gateway API conformance tests report](https://github.com/Kong/kubernetes-ingress-controller/actions/workflows/conformance_tests_report.yaml), verify artifact and submit it to https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports. Update the KIC version in the README's Gateway API conformance badge.
+- type: textarea
+  id: post_release_testing
+  attributes:
+    label: Post release testing
+    value: Appoint volunteer(s) to perform end-to-end testing of newly released features by following official documentation. Testing should cover following all the newly added or modified guides/tutorials, etc.
 - type: textarea
   id: release_trouble_shooting_link
   attributes:

.github/test_dependencies.yaml

@@ -20,7 +20,15 @@ e2e:
     - # renovate: datasource=docker depName=kindest/node versioning=docker
       kind: 'v1.30.0'
       # renovate: datasource=docker depName=istio/istioctl versioning=docker
+      istio: '1.22.1'
+    - # renovate: datasource=docker depName=kindest/node@only-patch versioning=docker
+      kind: 'v1.30.0'
+      # renovate: datasource=docker depName=istio/istioctl@only-patch versioning=docker
       istio: '1.21.2'
+    - # renovate: datasource=docker depName=kindest/node@only-patch versioning=docker
+      kind: 'v1.29.4'
+      # renovate: datasource=docker depName=istio/istioctl@only-patch versioning=docker
+      istio: '1.20.7'
     - # renovate: datasource=docker depName=kindest/node@only-patch packageName=kindest/node versioning=docker
       kind: 'v1.28.9'
       # renovate: datasource=docker depName=istio/istioctl@only-patch packageName=istio/istioctl versioning=docker
@@ -29,32 +37,25 @@ e2e:
       kind: 'v1.27.13'
       # renovate: datasource=docker depName=istio/istioctl@only-patch packageName=istio/istioctl versioning=docker
       istio: '1.18.7'
-    - # renovate: datasource=docker depName=kindest/node@only-patch packageName=kindest/node versioning=docker
-      kind: 'v1.26.15'
-      # renovate: datasource=docker depName=istio/istioctl@only-patch packageName=istio/istioctl versioning=docker
-      istio: '1.17.8'
 
   # renovate: datasource=helm depName=kuma registryUrl=https://kumahq.github.io/charts versioning=helm
-  kuma: '2.7.3'
+  kuma: '2.7.4'
 
 integration:
   helm:
     # renovate: datasource=helm depName=kong registryUrl=https://charts.konghq.com versioning=helm
-    kong: '2.38.0'
+    kong: '2.39.3'
   # renovate: datasource=docker depName=kindest/node versioning=docker
   kind: 'v1.30.0'
   # renovate: datasource=docker depName=kong versioning=docker
-  kong-oss: '3.7.0'
+  kong-oss: '3.7.1'
   # renovate: datasource=docker depName=kong/kong-gateway versioning=docker
-  kong-ee: '3.7.0.0'
+  kong-ee: '3.7.1.1'
 
 kongintegration:
   # renovate: datasource=docker depName=kong versioning=docker
-  kong-oss: '3.7.0'
+  kong-oss: '3.7.1'
 
 envtests:
-  # Because of a bug that was introduced in Kong EE 3.5 (https://konghq.atlassian.net/browse/KAG-3699),
-  # we need to stick to 3.4 in order to make our KongVault validation tests stable.
-  # This version should be bumped to the current one once the bug is fixed.
-  # PLEASE DO NOT BUMP THIS VERSION BEFORE KAG-3699 IS FIXED. renovate: datasource=docker depName=kong/kong-gateway versioning=docker
-  kong-ee: '3.4.3.4'
+  # renovate: datasource=docker depName=kong/kong-gateway versioning=docker
+  kong-ee: '3.7.1.1'

.github/workflows/_docker_build.yaml

@@ -110,7 +110,7 @@ jobs:
 
       - name: Build
         id: docker-build-dockerhub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: false
           file: Dockerfile
@@ -129,7 +129,7 @@ jobs:
       # Build locally with outputs set to `type=docker,dest=/tmp/image.tar` to save the image as a `kic-image` artifact.
       - name: Build locally
         id: docker-build-local
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           load: true
           file: Dockerfile

.github/workflows/conformance_tests_report.yaml

@@ -40,6 +40,10 @@ jobs:
           fetch-tags: true
           ref: ${{ github.event.inputs.tag }}
 
+      - uses: jdx/mise-action@v2
+        with:
+          install: false
+
       - name: setup golang
         uses: actions/setup-go@v5
         with:

.github/workflows/nightly.yaml

@@ -51,7 +51,7 @@ jobs:
           tags: ${{ steps.tags-standard.outputs.TAGS_STANDARD }}
       - name: Build binary
         id: docker_build_binary
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: false
           file: Dockerfile
@@ -67,7 +67,7 @@ jobs:
             GOCACHE=${{ env.GOCACHE}}
       - name: Build and push distroless image to DockerHub
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: true
           file: Dockerfile

.github/workflows/performance_nightly.yaml

@@ -20,37 +20,55 @@ jobs:
     with:
       kic-image: kong/nightly-ingress-controller:nightly
 
-  performance-tests-unreleased-kong:
-    needs: ensure-nightly-image-was-built
-    uses: ./.github/workflows/_performance_tests.yaml
-    secrets: inherit
-    with:
-      kic-image: kong/nightly-ingress-controller:nightly
-      # TODO: Previously we've used kong/kong:amd64-latest but that image reports
-      # its version (through AdminAPI / endpoint) as SHA instead of a semver.
-      # This breaks KIC's Admin root configuration verification on startup.
-      # To unblock this, we're switching to kong/kong-gateway-dev:nightly because
-      # it reports the next release to be released as semver in the version field.
-      # ref: https://github.com/Kong/kubernetes-ingress-controller/issues/4014
-      kong-image: kong/kong-gateway-dev:nightly
-      kong-effective-version: "3.4.1"
-
   test-reports:
     needs:
       - performance-tests
-      - performance-tests-unreleased-kong
     uses: ./.github/workflows/_test_reports.yaml
     secrets: inherit
     with:
       coverage: false
 
+  performance-reports:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
+    runs-on: ubuntu-latest
+    needs: performance-tests
+    steps:
+      - uses: actions/checkout@v4
+      - name: setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2
+          bundler-cache: true
+      - name: install uplot
+        run: |
+          gem install youplot
+
+      - name: download performance test results
+        uses: actions/download-artifact@v3
+        with:
+          name: performance-tests-results
+          path: perf-results
+
+      - name: drawing
+        run: |
+          cat perf-results/all_resource_apply*.txt >> result_of_all_resource_apply
+          uplot bar -d " " --title="Performance test for KIC" --ylabel="number of resources" --xlabel="time(ms) cost for all routes to apply to cluster" result_of_all_resource_apply
+
+          cat perf-results/all_resource_take_effect*.txt >> result_of_all_resource_take_effect
+          uplot bar -d " " --title="Performance test for KIC" --ylabel="number of resources" --xlabel="time(ms) cost for all routes to take effect." result_of_all_resource_take_effect
+
+          cat perf-results/one_resource_update*.txt >> result_of_one_resource_update
+          uplot bar -d " " --title="Performance test for KIC" --ylabel="number of resources" --xlabel="time(ms) cost for update one ingress." result_of_one_resource_update
+
+          cat perf-results/one_resource_take_effect*.txt >> result_of_one_resource_take_effect
+          uplot bar -d " " --title="Performance test for KIC" --ylabel="number of resources" --xlabel="time(ms) cost for update one ingress to take effect." result_of_one_resource_take_effect
+
   notify-on-slack:
     timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
     runs-on: ubuntu-latest
     needs:
       - ensure-nightly-image-was-built
       - performance-tests
-      - performance-tests-unreleased-kong
       - test-reports
     if: always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule'
     steps:

.github/workflows/release.yaml

@@ -81,6 +81,13 @@ jobs:
           echo "" >> $GITHUB_ENV
           echo 'type=raw,value=${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}' >> $GITHUB_ENV
           echo 'EOF' >> $GITHUB_ENV
+      # Setup Golang to use go pkg cache which is utilized in Dockerfile's cache mount.
+      - name: Setup golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - run: echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
+      - run: echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Cache Docker layers
@@ -105,7 +112,7 @@ jobs:
           tags: ${{ env.TAGS_STANDARD }}${{ env.TAGS_SUPPLEMENTAL }}
       - name: Build binary
         id: docker_build_binary
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: false
           file: Dockerfile
@@ -117,9 +124,11 @@ jobs:
             TAG=${{ steps.meta.outputs.version }}
             COMMIT=${{ github.sha }}
             REPO_INFO=https://github.com/${{ github.repository }}.git
+            GOPATH=${{ env.GOPATH}}
+            GOCACHE=${{ env.GOCACHE}}
       - name: Build and push distroless image to DockerHub
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: true
           file: Dockerfile
@@ -131,6 +140,8 @@ jobs:
             TAG=${{ steps.meta.outputs.version }}
             COMMIT=${{ github.sha }}
             REPO_INFO=https://github.com/${{ github.repository }}.git
+            GOPATH=${{ env.GOPATH}}
+            GOCACHE=${{ env.GOCACHE}}
 
   test-e2e:
     needs: [verify-manifest-tag, build-push-images]

.github/workflows/release_docs.yaml

@@ -59,7 +59,7 @@ jobs:
           git_commit_gpgsign: true
 
       - name: Create a PR in docs repo
-        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c
         if: steps.detect-changes.outputs.HAS_CHANGES
         with:
           token: ${{ secrets.K8S_TEAM_BOT_GH_PAT }}

.golangci.yaml

@@ -38,6 +38,7 @@ linters:
   - nilerr
   - nolintlint
   - predeclared
+  - prealloc
   - revive
   - staticcheck
   - tenv
@@ -142,6 +143,8 @@ linters-settings:
     klog: true
     logr: true
     zap: false
+  prealloc:
+    for-loops: true
 issues:
   fix: true
   max-same-issues: 0
@@ -169,11 +172,21 @@ issues:
     linters:
       - gosec
     text: "TLS InsecureSkipVerify set true|Potential hardcoded credentials"
+  # Ignore prealloc in tests
+  - path: _test\.go
+    linters:
+      - prealloc
+    text: "Consider pre-allocating"
+  # Ignore prealloc in hack/ directory
+  - path: hack/
+    linters:
+      - prealloc
+    text: "Consider pre-allocating"
   # It's fine to use variable urls in tests.
   - linters:
       - gosec
     text: "Potential HTTP request made with variable url"
-    path: test\.go
+    path: _test\.go
   # Allow using SchemeGroupVersion, GroupVersion, GroupName, AddToScheme, and Install from gatewayv1alpha2,
   # gatewayv1beta1 and gatewayv1 as their values are different between versions, and we can't alias them in internal/gatewayapi/aliases.go.
   - linters:

.tools_versions.yaml

@@ -1,19 +1,19 @@
-# renovate: datasource=github-releases depName=kubernetes/code-generator
-kube-code-generator: "0.29.1"
+# renovate: datasource=github-tags depName=kubernetes/code-generator
+kube-code-generator: "0.30.2"
 # renovate: datasource=github-releases depName=kubernetes-sigs/controller-tools
 controller-tools: "0.15.0"
 # renovate: datasource=github-releases depName=kubernetes-sigs/kustomize
 kustomize: "5.3.0"
 # renovate: datasource=github-releases depName=golangci/golangci-lint
-golangci-lint: "1.59.0"
+golangci-lint: "1.59.1"
 # renovate: datasource=github-releases depName=GoogleContainerTools/skaffold
 skaffold: "2.12.0"
 # renovate: datasource=github-releases depName=kubernetes-sigs/controller-runtime
 setup-envtest: "0.18.4"
 # renovate: datasource=github-releases depName=elastic/crd-ref-docs
 crd-ref-docs: "0.0.12"
 # renovate: datasource=github-releases depName=mikefarah/yq
-yq: "4.44.1"
+yq: "4.44.2"
 # renovate: datasource=github-releases depName=jstemmer/go-junit-report
 gojunit-report: "2.1.0"
 # renovate: datasource=github-releases depName=gotestyourself/gotestsum