Merge pull request 'sriov webhooks to reload the renewed certificate.' (#348) from antaloala/Factory:edge-1759 into main

Reviewed-on: suse-edge/Factory#348
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>

network-resources-injector/injector-webhook-load-renewed-certs.patch

@@ -0,0 +1,39 @@
+diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
+index 1c8f418..b21de81 100644
+--- a/cmd/webhook/main.go
++++ b/cmd/webhook/main.go
+@@ -121,7 +121,7 @@ func main() {
+ 	// initialize webhook with controlSwitches
+ 	webhook.SetControlSwitches(controlSwitches)
+ 
+-	//initialize webhook with cache
++	// initialize webhook with cache
+ 	netAnnotationCache := netcache.Create()
+ 	netAnnotationCache.Start()
+ 	webhook.SetNetAttachDefCache(netAnnotationCache)
+@@ -192,11 +192,10 @@ func main() {
+ 
+ 	certUpdated := false
+ 	keyUpdated := false
++	watcher.Add(*cert)
++	watcher.Add(*key)
+ 
+ 	for {
+-		watcher.Add(*cert)
+-		watcher.Add(*key)
+-
+ 		select {
+ 		case event, ok := <-watcher.Events:
+ 			if !ok {
+@@ -209,9 +208,11 @@ func main() {
+ 				glog.V(2).Infof("modified file: %v", event.Name)
+ 				if event.Name == *cert {
+ 					certUpdated = true
++					watcher.Add(*cert)
+ 				}
+ 				if event.Name == *key {
+ 					keyUpdated = true
++					watcher.Add(*key)
+ 				}
+ 				if keyUpdated && certUpdated {
+ 					if err := keyPair.Reload(); err != nil {

network-resources-injector/network-resources-injector.spec

@@ -24,6 +24,9 @@ License:        Apache-2.0
 URL:            https://github.com/k8snetworkplumbingwg/network-resources-injector
 Source:         %{name}-%{version}.tar
 Source1:        vendor.tar.gz
+# Patch1 below backports changes from PR#187 (https://github.com/k8snetworkplumbingwg/network-resources-injector/pull/187);
+# to be removed once bumping (>= v1.9.0 upstream)
+Patch1:         injector-webhook-load-renewed-certs.patch
 BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}

rancher-turtles-chart/values.yaml

@@ -22,7 +22,7 @@ rancherTurtles:
   # rancherInstalled: True if Rancher already installed is in the cluster, this is the preferred installation way.
   rancherInstalled: false
   # kubectlImage: Image for kubectl tasks.
-  kubectlImage: "%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.33.4"
+  kubectlImage: "%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.34.2"
   # shellImage: Image for shell tasks.
   shellImage: registry.rancher.com/rancher/kuberlr-kubectl:v5.0.0
   # features: Optional and experimental features.

release-manifest-image/release_images.yaml

@@ -50,7 +50,7 @@ images:
   - name: registry.rancher.com/rancher/nginx-ingress-controller:v1.12.4-hardened2
   - name: registry.rancher.com/rancher/rancher-webhook:v0.8.1
   - name: registry.rancher.com/rancher/rancher/turtles:v0.24.3
-  - name: registry.rancher.com/rancher/rancher:v2.13.0
+  - name: registry.rancher.com/rancher/rancher:v2.13.1
   - name: registry.rancher.com/rancher/rke2-cloud-provider:v1.33.1-0.20250516163953-99d91538b132-build20250612
   - name: registry.rancher.com/rancher/scc-operator:v0.1.1
   - name: registry.rancher.com/rancher/system-upgrade-controller:v0.16.0

release-manifest-image/release_manifest.yaml

@@ -85,9 +85,8 @@ spec:
         - prettyName: Rancher
           releaseName: rancher
           chart: rancher
-          # Temporary switch to rancher latest until prime is released
-          version: 2.13.0
-          repository: https://releases.rancher.com/server-charts/latest
+          version: 2.13.1
+          repository: https://charts.rancher.com/server-charts/prime
           values:
             postDelete:
               enabled: false

sriov-network-operator/operator-webhook-load-renewed-certs.patch

@@ -0,0 +1,51 @@
+diff --git a/cmd/webhook/start.go b/cmd/webhook/start.go
+index c66d6c8b..23eaf928 100644
+--- a/cmd/webhook/start.go
++++ b/cmd/webhook/start.go
+@@ -25,14 +25,12 @@ var (
+ 	enableHTTP2 bool
+ )
+ 
+-var (
+-	startCmd = &cobra.Command{
+-		Use:   "start",
+-		Short: "Starts Webhook Daemon",
+-		Long:  "Starts Webhook Daemon",
+-		Run:   runStartCmd,
+-	}
+-)
++var startCmd = &cobra.Command{
++	Use:   "start",
++	Short: "Starts Webhook Daemon",
++	Long:  "Starts Webhook Daemon",
++	Run:   runStartCmd,
++}
+ 
+ // admitv1Func handles a v1 admission
+ type admitv1Func func(v1.AdmissionReview) *v1.AdmissionResponse
+@@ -190,10 +188,10 @@ func runStartCmd(cmd *cobra.Command, args []string) {
+ 	certUpdated := false
+ 	keyUpdated := false
+ 
+-	for {
+-		watcher.Add(certFile)
+-		watcher.Add(keyFile)
++	watcher.Add(certFile)
++	watcher.Add(keyFile)
+ 
++	for {
+ 		select {
+ 		case event, ok := <-watcher.Events:
+ 			if !ok {
+@@ -206,9 +204,11 @@ func runStartCmd(cmd *cobra.Command, args []string) {
+ 				setupLog.Info("modified file", "name", event.Name)
+ 				if event.Name == certFile {
+ 					certUpdated = true
++					watcher.Add(certFile)
+ 				}
+ 				if event.Name == keyFile {
+ 					keyUpdated = true
++					watcher.Add(keyFile)
+ 				}
+ 				if keyUpdated && certUpdated {
+ 					if err := keyPair.Reload(); err != nil {

sriov-network-operator/sriov-network-operator.spec

@@ -24,6 +24,9 @@ License:        Apache-2.0
 URL:            https://github.com/k8snetworkplumbingwg/sriov-network-operator
 Source:         sriov-network-operator-%{version}.tar
 Source1:        vendor.tar.gz
+# Patch1 below backports changes from PR#946 (https://github.com/k8snetworkplumbingwg/sriov-network-operator/pull/946);
+# to be removed once bumping (>= v1.7.0 upstrean)
+Patch1:         operator-webhook-load-renewed-certs.patch
 BuildRequires:  golang(API) = 1.23
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}

upgrade-controller-chart/values.yaml

@@ -15,7 +15,7 @@ env:
     image: %%MANIFEST_REPO%%/%%IMG_PREFIX%%release-manifest
   kubectl:
     image: %%IMG_REPO%%/%%IMG_PREFIX%%kubectl
-    version: 1.33.4
+    version: 1.34.2
 
 imagePullSecrets: []
 nameOverride: ""