Update module sigs.k8s.io/controller-runtime to v0.23.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sigs.k8s.io/controller-runtime	v0.22.4 → v0.23.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubernetes-sigs/controller-runtime (sigs.k8s.io/controller-runtime)

v0.23.0

🔆 Highlights

• Client: Add subresource Apply support by @​alvaroaleman in #​3321
• Conversion: Enable implementation of conversion outside of API packages by @​sbueringer in #​3335
• Priorityqueue: Various improvements, bug fixes and now enabled per default
• Webhooks: Generic Validator and Defaulter by @​alvaroaleman in #​3360

⚠️ Breaking changes

• Dependencies: Update to k8s.io/* v1.35 by @​alvaroaleman @​dongjiang1989 @​kannon92 (#​3316, #​3349, #​3386, #​3391, #​3401)
• Client: Add subresource Apply support by @​alvaroaleman in #​3321
• Events: Migration to the new events API by @​clebs in #​3262
  • Using the new GetEventRecorderFor requires updating your rbac for events to use the events.k8s.io apiGroup rather than the `` (core) apiGroup
• Fakeclient: Set ResourceVersion for SSA Create by @​alvaroaleman in #​3311
• Webhooks: Generic Validator and Defaulter by @​alvaroaleman in #​3360
  • Existing code of the form builder.WebhookManagedBy(mgr).For(&corev1.Deployment{}) has to be changed to builder.WebhookManagedBy(mgr, &appsv1.Deployment{})
  • Existing webhook implementations have to be changed to take the concrete object rather than runtime.Object, for example from ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) to ValidateCreate(ctx context.Context, obj *appsv1.Deployment) (admission.Warnings, error)

✨ Features

• Cache: Allow fine-granular SyncPeriod configuration by @​sbueringer in #​3376
• Client: Add FieldOwner option to client.Options by @​aerfio in #​3389
• Client: Add FieldValidation option to client.Options by @​aerfio in #​3393
• Conversion: Enable implementation of conversion outside of API packages by @​sbueringer in #​3335
• Metrics: Add controller_runtime_reconcile_timeouts_total metric to track ReconciliationTimeout timeouts by @​godwinpang in #​3382
• Priorityqueue: Add optional Priority field to reconcile.Result by @​sbueringer in #​3333
• Priorityqueue: Enable per default by @​sbueringer in #​3332
• Priorityqueue: Use a buffer to optimize priority queue AddWithOpts performance by @​zach593 in #​3415
• Source/Kind: Delay reconciliation until handlers sync by @​GonzaloLuminary in #​3406
• Webhooks: Add WithContextFunc to WebhookBuilder by @​dmvolod in #​3324

🐛 Bugfixes

• Client: Allow SSA after normal resource creation by @​filipcirtog in #​3346
• Client: Fix List in namespaced client to list objects that are cluster scoped by @​troy0820 in #​3351 #​3353
• Envtest: Respect pre-configured binary paths in ControlPlane by @​mzhaom in #​3372
• Fakeclient: Fix a number of bugs when updating through apply by @​alvaroaleman in #​3319
• FakeClient: Fix Apply with Unstructured ApplyConfiguration and resourceVersion unset by @​sbueringer in #​3403
• Fakeclient: Fix SSA after List with non-list kind by @​sbueringer in #​3364
• Fakeclient: Panic when trying to build more than one instance of fake.ClientBuilder by @​troy0820 in #​3314
• Leaderelection: Copy all parent context values to leader elector's context by @​msudheendra-cflt in #​3327
• Metrics: Adding missing exponential buckets on webhook native histogram by @​brito-rafa in #​3411
• Priorityqueue: Do FIFO ordering within priorities and not across by @​zach593 in #​3408
• Priorityqueue: Don't block on Get when queue is shutdown (2nd try) by @​sbueringer in #​3337
• Priorityqueue: Ensure priority queue always returns high-priority items first by @​moritzmoe in #​3330
• Priorityqueue: Fix TestWhenAddingMultipleItemsWithRatelimitTrueTheyDontAffectEachOther by @​zach593 in #​3395
• Priorityqueue: Limit depthWithPriorityMetric cardinality to 25 by @​alvaroaleman #​3419
• Priorityqueue: Properly sync the waiter manipulation by @​fossedihelm in #​3368
• setup-envtest: Select the newest Kubernetes by default by @​cbandy in #​3380
• testing/addr: Prevent possible leak by avoiding defer in loop by @​s-z-z in #​3367

🌱 Other

• Dependencies: Update controller-tools to 0.20.0 and fix lint by @​dongjiang1989 in #​3405
• Linter: Add depguard golangci-linter for forbid sort pkg by @​dongjiang1989 in #​3374
• Linter: Modernize finalizer utils by @​tbavelier in #​3329
• Linter: Update golangci-lint version and modernize lint by @​dongjiang1989 in #​3384
• Linter: Update golangci-lint version to v2.4.0 by @​dongjiang1989 in #​3318
• Linter: Update golangci-lint version to v2.5.0 by @​dongjiang1989 in #​3323
• Linter: Update golangci-lint version to v2.7.2 by @​dongjiang1989 in #​3399
• Manager: Deflake should execute the Warmup function test when Warmup group is started by @​alvaroaleman in #​3356
• Misc: Add CreateOrPatch function in alias.go by @​tisonkun in #​3375
• Misc: Change sort to slices package by @​dongjiang1989 in #​3370
• Misc: Fix typo in unit test name by @​s-z-z in #​3304
• Misc: Revert deprecation of client.Apply by @​sbueringer in #​3307
• Priorityqueue: Add and use newQueueWithTimeForwarder by @​alvaroaleman in #​3336
• Priorityqueue: Add some more tests to the priorityqueue by @​alvaroaleman in #​3387
• Priorityqueue: Use separate b-trees for ready and non-ready items by @​alvaroaleman in #​3416
• Priorityqueue: Use synctest by @​alvaroaleman in #​3350

📖 Documentation

• Add a design for supporting warm replicas by @​godwinpang in #​3121
• Remove latest from setupenvtest docs by @​troy0820 in #​3359
• pkg/client/config: Remove outdated doc comments by @​haoqixu in #​3306
• Update client.Apply example by @​aerfio in #​3390
• Update README.md's compatibility matrix for v0.22.x. by @​renormalize in #​3392

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/goccy/go-yaml: v1.18.0
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5
• go.uber.org/automaxprocs: v1.6.0
• golang.org/x/tools/go/expect: v0.1.0-deprecated
• golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated

Changed

• github.com/go-logr/logr: v1.4.2 → v1.4.3
• github.com/google/pprof: d1b30fe → 27863c8
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.27.2
• github.com/onsi/gomega: v1.36.1 → v1.38.2
• github.com/prometheus/client_golang: v1.22.0 → v1.23.2
• github.com/prometheus/client_model: v0.6.1 → v0.6.2
• github.com/prometheus/common: v0.62.0 → v0.66.1
• github.com/prometheus/procfs: v0.15.1 → v0.16.1
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.0
• github.com/spf13/pflag: v1.0.6 → v1.0.9
• github.com/stretchr/testify: v1.10.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.35.0 → v1.36.0
• go.opentelemetry.io/otel/sdk/metric: v1.34.0 → v1.36.0
• go.opentelemetry.io/otel/sdk: v1.34.0 → v1.36.0
• go.opentelemetry.io/otel/trace: v1.35.0 → v1.36.0
• go.opentelemetry.io/otel: v1.35.0 → v1.36.0
• go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
• golang.org/x/crypto: v0.36.0 → v0.45.0
• golang.org/x/mod: v0.21.0 → v0.29.0
• golang.org/x/net: v0.38.0 → v0.47.0
• golang.org/x/oauth2: v0.27.0 → v0.30.0
• golang.org/x/sync: v0.12.0 → v0.18.0
• golang.org/x/sys: v0.31.0 → v0.38.0
• golang.org/x/telemetry: bda5523 → 078029d
• golang.org/x/term: v0.30.0 → v0.37.0
• golang.org/x/text: v0.23.0 → v0.31.0
• golang.org/x/tools: v0.26.0 → v0.38.0
• golang.org/x/xerrors: 5ec99f8 → 9bdfabe
• google.golang.org/genproto/googleapis/rpc: a0af3ef → 200df99
• google.golang.org/grpc: v1.72.1 → v1.72.2
• google.golang.org/protobuf: v1.36.5 → v1.36.8
• gopkg.in/evanphx/json-patch.v4: v4.12.0 → v4.13.0
• k8s.io/api: v0.34.0 → v0.35.0
• k8s.io/apiextensions-apiserver: v0.34.0 → v0.35.0
• k8s.io/apimachinery: v0.34.0 → v0.35.0
• k8s.io/apiserver: v0.34.0 → v0.35.0
• k8s.io/client-go: v0.34.0 → v0.35.0
• k8s.io/code-generator: v0.34.0 → v0.35.0
• k8s.io/component-base: v0.34.0 → v0.35.0
• k8s.io/gengo/v2: 85fd79d → ec3ebc5
• k8s.io/kms: v0.34.0 → v0.35.0
• k8s.io/kube-openapi: f3f2b99 → 589584f
• k8s.io/utils: 4c0f3b2 → bc988d5
• sigs.k8s.io/json: cfa47c3 → 2d32026

Removed

• github.com/kisielk/errcheck: v1.5.0
• github.com/kisielk/gotool: v1.0.0
• gopkg.in/yaml.v2: v2.4.0

New Contributors

• @​haoqixu made their first contribution in #​3306
• @​msudheendra-cflt made their first contribution in #​3327
• @​tbavelier made their first contribution in #​3329
• @​moritzmoe made their first contribution in #​3330
• @​filipcirtog made their first contribution in #​3346
• @​fossedihelm made their first contribution in #​3368
• @​mzhaom made their first contribution in #​3372
• @​tisonkun made their first contribution in #​3375
• @​renormalize made their first contribution in #​3392
• @​brito-rafa made their first contribution in #​3411
• @​GonzaloLuminary made their first contribution in #​3406

Full Changelog: kubernetes-sigs/controller-runtime@v0.22.0...v0.23.0

Thanks to all our contributors! 😊

v0.22.5

What's Changed

• 🌱 Bump k8s.io/* to v0.34.3 by @​sbueringer in #​3420

Full Changelog: kubernetes-sigs/controller-runtime@v0.22.4...v0.22.5

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
k8s.io/apiextensions-apiserver	v0.34.1 -> v0.35.0

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[codecov]

Codecov Report

❌ Patch coverage is 7.14286% with 39 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.94%. Comparing base (c32e65d) to head (6180937).

Files with missing lines	Patch %	Lines
cmd/thv-operator/main.go	0.00%	19 Missing ⚠️
...perator/controllers/virtualmcpserver_controller.go	0.00%	8 Missing ⚠️
...lpha1/virtualmcpcompositetooldefinition_webhook.go	0.00%	5 Missing ⚠️
...-operator/api/v1alpha1/virtualmcpserver_webhook.go	0.00%	5 Missing ⚠️
...ator/api/v1alpha1/mcpexternalauthconfig_webhook.go	50.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3345      +/-   ##
==========================================
+ Coverage   64.86%   64.94%   +0.07%     
==========================================
  Files         375      375              
  Lines       36596    36602       +6     
==========================================
+ Hits        23738    23771      +33     
+ Misses      10992    10966      -26     
+ Partials     1866     1865       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dmjb]

@claude Analyze the k8s operator e2e test failures and the changes in this branch, and attempt to identify the cause of the test failures.

[claude]

Claude finished @dmjb's task in 6m 52s —— View job

---

Analysis Complete: E2E Test Failure Root Cause

• Check CI status and identify failing tests
• Read modified webhook files
• Compare webhook implementations against controller-runtime v0.23.0 breaking changes
• Analyze test failure logs
• Identify root cause
• Verify webhook infrastructure

---

Summary

The e2e tests are failing because the operator deployment cannot become ready. The root cause is missing webhook infrastructure (certificates, service, webhook configurations), not the controller-runtime v0.23.0 migration itself.

---

Detailed Analysis

What Changed in This PR

The PR correctly migrates webhook code from controller-runtime v0.22.4 to v0.23.0:

Changes in cmd/thv-operator/api/v1alpha1/*webhook.go:

• ✅ Changed from webhook.CustomValidator to admission.Validator[*T]
• ✅ Updated method signatures from runtime.Object to concrete types (e.g., *VirtualMCPServer)
• ✅ Changed ctrl.NewWebhookManagedBy(mgr).For(r) to builder.WebhookManagedBy[*T](mgr, r).WithValidator(r)

These changes are correct per controller-runtime v0.23.0 breaking changes.

The Real Problem

The operator fails to start because:

1. Webhooks are registered (cmd/thv-operator/main.go:300-313) when ENABLE_VMCP=true (the default)
2. Webhook server starts on port 9443 (main.go:78)
3. BUT webhook infrastructure is missing:
   • ❌ No webhook port (9443) in Helm chart (deploy/charts/operator/values.yaml only exposes 8080, 8081)
   • ❌ No Service exposing port 9443
   • ❌ No TLS certificates for webhook server
   • ❌ No ValidatingWebhookConfiguration deployed (exists in config/webhook/manifests.yaml but not used)

Test Failure Evidence

apps/v1/Deployment/toolhive-system/toolhive-operator
* status.(conditions[?type == 'Available'] | [0].status): Invalid value: "False": Expected value: "True"
* status.(readyReplicas): Invalid value: "null": Expected value: 1

The deployment times out after 60 seconds waiting to become available, indicating the operator pod is not starting successfully or failing health checks.

Why This Is Not a v0.23.0 Issue

1. Webhooks exist on origin/main (with v0.22.4) in the same configuration
2. The webhook code migration is correct
3. The issue is architectural: webhooks need infrastructure that doesn't exist

---

Why Are Tests Failing Now?

The tests are likely failing for one of these reasons:

1. Tests were already failing on main with webhooks enabled (would need to check main branch CI)
2. Something in v0.23.0 made webhook startup more strict (e.g., previously tolerated missing certs, now fails fast)
3. Test environment changed between when main last passed and now

The controller-runtime v0.23.0 release notes mention webhook changes but don't indicate they should cause startup failures without certificates.

---

Recommended Fix Options

Option 1: Disable Webhooks in E2E Tests (Quick Fix)

Modify test setup to disable VMCP features:

In test/e2e/chainsaw/operator/multi-tenancy/setup/chainsaw-test.yaml:39-44:

- operator-deploy-local
- --
- --set
- operator.features.virtualMCP=false  # Add this line
- --set
- operator.rbac.scope=namespace

This unblocks the PR while webhooks remain available for manual/production use (where infrastructure can be configured separately).

Option 2: Add Complete Webhook Infrastructure (Proper Fix)

This requires:

1. Add webhook service exposing port 9443
2. Add cert-manager or manual certificate provisioning
3. Deploy ValidatingWebhookConfiguration from config/webhook/manifests.yaml
4. Add port 9443 to Helm chart deployment
5. Configure certificate injection into webhook configuration

This is the right long-term solution but requires significant work beyond this PR's scope.

Option 3: Make Webhook Registration Conditional

Modify cmd/thv-operator/main.go to only register webhooks when certificates are available or when explicitly enabled via an additional flag. This adds complexity but allows gradual webhook rollout.

---

Recommendation

Implement Option 1 to unblock this dependency update PR. File a separate issue to track adding complete webhook infrastructure (Option 2) if webhooks are intended to be production-ready.

The controller-runtime v0.23.0 migration is correct and should be merged once tests pass with webhooks disabled.

---

Would you like me to implement Option 1 (disable webhooks in e2e tests)?

---

| Branch: renovate/sigs.k8s.io-controller-runtime-0.x

[jerm-dro]

I opened up this issue: #3360 for the long term fix for webhooks.