Overhaul: Part 1: Making Kubernetes naming scheme exchangeable

README.md

@@ -21,13 +21,12 @@ The table below marks known support of a kcp version in kcp-operator versions.
 
 <!-- The same table is in docs/content/README.md, make sure to keep them in-sync. -->
 
-| kcp    | `main`             | 0.1.x              |
-| ------ | ------------------ | ------------------ |
-| `main` | :warning:          | :question:         |
-| 0.30.x | :white_check_mark: | :question:         |
-| 0.29.x | :white_check_mark: | :question:         |
-| 0.28.x | :white_check_mark: | :question:         |
-| 0.27.x | :question:         | :white_check_mark: |
+| kcp    | `main`             | 0.7.x              | 0.6.x              | 0.5.x              |
+| ------ | ------------------ | ------------------ | ------------------ | ------------------ |
+| `main` | :warning:          | :question:         | :question:         | :question:         |
+| 0.31.x | :white_check_mark: | :white_check_mark: | :white_check_mark: | :question:         |
+| 0.30.x | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| 0.29.x | :question:         | :question:         | :question:         | :white_check_mark: |
 
 [^1]: While we try to support kcp's `main` branch, this support is best effort and should not be used for deploying actual kcp instances.
 

cmd/operator/main.go

@@ -25,7 +25,7 @@ import (
 
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/go-logr/zapr"
-	kcpcorev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
+	kcpcorev1alpha1 "github.com/kcp-dev/sdk/apis/core/v1alpha1"
 	"github.com/spf13/pflag"
 	"go.uber.org/zap/zapcore"
 

config/crd/bases/operator.kcp.io_frontproxies.yaml

@@ -112,8 +112,10 @@ spec:
                         type: string
                       clientSecret:
                         description: |-
-                          Optionally provide the client secret for the OIDC client. This is not used by kcp itself, but is used to generate
-                          a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
+                          ClientSecret is the OIDC client secret configured on the issuer side for this kcp instance.
+                          This is not used by kcp itself, but is used to generate a OIDC kubeconfig that can be
+                          shared with users to log in via the OIDC provider.
+                          Deprecated: kube OIDC is secretless.
                         type: string
                       groupsClaim:
                         description: 'Experimental: Optionally provides a custom claim

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -174,8 +174,10 @@ spec:
                         type: string
                       clientSecret:
                         description: |-
-                          Optionally provide the client secret for the OIDC client. This is not used by kcp itself, but is used to generate
-                          a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
+                          ClientSecret is the OIDC client secret configured on the issuer side for this kcp instance.
+                          This is not used by kcp itself, but is used to generate a OIDC kubeconfig that can be
+                          shared with users to log in via the OIDC provider.
+                          Deprecated: kube OIDC is secretless.
                         type: string
                       groupsClaim:
                         description: 'Experimental: Optionally provides a custom claim

config/crd/bases/operator.kcp.io_shards.yaml

@@ -174,8 +174,10 @@ spec:
                         type: string
                       clientSecret:
                         description: |-
-                          Optionally provide the client secret for the OIDC client. This is not used by kcp itself, but is used to generate
-                          a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
+                          ClientSecret is the OIDC client secret configured on the issuer side for this kcp instance.
+                          This is not used by kcp itself, but is used to generate a OIDC kubeconfig that can be
+                          shared with users to log in via the OIDC provider.
+                          Deprecated: kube OIDC is secretless.
                         type: string
                       groupsClaim:
                         description: 'Experimental: Optionally provides a custom claim

docs/content/README.md

@@ -22,12 +22,12 @@ The table below marks known support of a kcp version in kcp-operator versions.
 
 <!-- The same table is in the global README.md, make sure to keep them in-sync. -->
 
-| kcp    | `main`             | 0.1.x              |
-| ------ | ------------------ | ------------------ |
-| `main` | :warning:          | :question:         |
-| 0.29.x | :white_check_mark: | :question:         |
-| 0.28.x | :white_check_mark: | :question:         |
-| 0.27.x | :question:         | :white_check_mark: |
+| kcp    | `main`             | 0.7.x              | 0.6.x              | 0.5.x              |
+| ------ | ------------------ | ------------------ | ------------------ | ------------------ |
+| `main` | :warning:          | :question:         | :question:         | :question:         |
+| 0.31.x | :white_check_mark: | :white_check_mark: | :white_check_mark: | :question:         |
+| 0.30.x | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| 0.29.x | :question:         | :question:         | :question:         | :white_check_mark: |
 
 *Explanation*:
 

docs/content/contributing/continuous-integration/index.md

@@ -13,6 +13,6 @@ Here are the most important links:
 In order to run the E2E tests locally, you will need to setup cert-manager with the sample clusterissuer:
 
 ```sh
-helm upgrade --install --namespace cert-manager --create-namespace --version v1.19.3 --set crds.enabled=true cert-manager jetstack/cert-manager
+helm upgrade --install --namespace cert-manager --create-namespace --version v1.20.2 --set crds.enabled=true cert-manager jetstack/cert-manager
 kubectl apply -n cert-manager --filename hack/ci/testdata/clusterissuer.yaml
 ```

docs/content/contributing/local-setup.md

@@ -31,7 +31,7 @@ kind create cluster
 Install cert-manager, it is required to create kcp's PKI:
 
 ```sh
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.3/cert-manager.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.2/cert-manager.yaml
 ```
 
 Set up two etcd instances, one for the root shard and one for a supplementary shard:

docs/content/contributing/releasing.md

@@ -5,39 +5,52 @@ description: >
 
 # Release Process
 
-The guide describes how to release a new version of the kcp-operator.
+This document describes the end-to-end process for publishing a new kcp-operator release.
 
 ## Prerequisites
 
-1. Have all desired changes merged and/or cherrypicked into the appropriate
-   release branch.
+- Push access to the `kcp-dev/kcp-operator` repository.
+- All desired changes merged (and cherry-picked for patch releases).
 
-## Minor Release
+## 1. Bump the Default KCP Image Tag
 
-Minor releases (0.x) are tagged directly on the `main` branch and the `v0.X.0`
-tag represents where the corresponding `release/v0.X` branch branches off.
+Update the compiled-in default image tag in `internal/resources/resources.go`:
 
-1. Checkout the desired `main` branch commit.
-1. Tag the main module: `git tag -m "version 0.X" v0.X.0`
-1. Tag the SDK module: `git tag -m "SDK version 0.X" sdk/v0.X.0`
-1. Push the tags: `git push upstream v0.X.0 sdk/v0.X.0`
-1. Create the release branch: `git checkout -B release-0.X`
-1. Push the release branch: `git push -u upstream release-0.X`
+```go
+const (
+    ImageRepository = "ghcr.io/kcp-dev/kcp"
+    ImageTag        = "v0.XX.Y" // <-- update this
+)
+```
 
-Once the tag and branch have been pushed, the documentation has to be manually
-updated to include the new minor release.
+Commit and merge the change before tagging.
 
-1. Navigate to https://github.com/kcp-dev/kcp-operator/actions/workflows/docs-gen-and-push.yaml
-1. Run the workflow manually on the new release branch.
+## 2. Tag the Release
 
-Within a few minutes of the action finishing, the new branch should show up on
-https://docs.kcp.io/kcp-operator/.
+### Minor release (v0.X.0)
 
-## Patch Releases
+```bash
+git checkout main
+git tag -m "version 0.X" v0.X.0
+git tag -m "SDK version 0.X" sdk/v0.X.0
+git push upstream v0.X.0 sdk/v0.X.0
 
-Patch releases (v0.x.y) are tagged with in a release branch.
+# Create the release branch
+git checkout -B release-0.X
+git push -u upstream release-0.X
+```
 
-1. Checkout the desired `release/v0.X` branch commit.
-1. Tag the main module: `git tag -m "version 0.X.Y" v0.X.Y`
-1. Tag the SDK module: `git tag -m "SDK version 0.X.Y" sdk/v0.X.Y`
-1. Push the tags: `git push upstream v0.X.Y sdk/v0.X.Y`
+### Patch release (v0.X.Y)
+
+```bash
+git checkout release-0.X
+git tag -m "version 0.X.Y" v0.X.Y
+git tag -m "SDK version 0.X.Y" sdk/v0.X.Y
+git push upstream v0.X.Y sdk/v0.X.Y
+```
+
+## 3. Publish Documentation
+
+1. Go to the [docs-gen-and-push workflow](https://github.com/kcp-dev/kcp-operator/actions/workflows/docs-gen-and-push.yaml).
+2. Run the workflow manually on the release branch.
+3. Verify the new version appears on [docs.kcp.io/kcp-operator](https://docs.kcp.io/kcp-operator/).

go.mod

@@ -1,31 +1,30 @@
 module github.com/kcp-dev/kcp-operator
 
-go 1.24.0
+go 1.25.0
 
 replace github.com/kcp-dev/kcp-operator/sdk => ./sdk
 
 require (
-	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/cert-manager/cert-manager v1.18.5
+	github.com/Masterminds/semver/v3 v3.4.0
+	github.com/cert-manager/cert-manager v1.20.2
 	github.com/go-logr/logr v1.4.3
 	github.com/go-logr/zapr v1.3.0
-	github.com/go-test/deep v1.1.0
-	github.com/kcp-dev/kcp-operator/sdk v0.0.0-00010101000000-000000000000
-	github.com/kcp-dev/kcp/sdk v0.28.3
+	github.com/go-test/deep v1.1.1
+	github.com/kcp-dev/kcp-operator/sdk v0.7.0
 	github.com/kcp-dev/logicalcluster/v3 v3.0.5
-	github.com/kcp-dev/sdk v0.30.0
-	github.com/prometheus/client_golang v1.22.0
-	github.com/spf13/pflag v1.0.6
+	github.com/kcp-dev/sdk v0.31.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
-	go.uber.org/zap v1.27.0
+	go.uber.org/zap v1.27.1
 	k8c.io/reconciler v0.5.0
-	k8s.io/api v0.34.2
-	k8s.io/apimachinery v0.34.2
-	k8s.io/client-go v0.34.2
-	k8s.io/component-base v0.34.2
-	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/controller-runtime v0.19.0
+	k8s.io/api v0.35.4
+	k8s.io/apimachinery v0.35.4
+	k8s.io/client-go v0.35.4
+	k8s.io/component-base v0.35.4
+	k8s.io/klog/v2 v2.140.0
+	k8s.io/utils v0.0.0-20260319190234-28399d86e0b5
+	sigs.k8s.io/controller-runtime v0.23.3
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -38,72 +37,79 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/egymgmbh/go-prefix-writer v0.0.0-20180609083313-7326ea162eca // indirect
-	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
-	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/cel-go v0.26.0 // indirect
-	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/go-openapi/jsonpointer v0.23.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.5 // indirect
+	github.com/go-openapi/swag v0.26.0 // indirect
+	github.com/go-openapi/swag/cmdutils v0.26.0 // indirect
+	github.com/go-openapi/swag/conv v0.26.0 // indirect
+	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonname v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonutils v0.26.0 // indirect
+	github.com/go-openapi/swag/loading v0.26.0 // indirect
+	github.com/go-openapi/swag/mangling v0.26.0 // indirect
+	github.com/go-openapi/swag/netutils v0.26.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.26.0 // indirect
+	github.com/go-openapi/swag/typeutils v0.26.0 // indirect
+	github.com/go-openapi/swag/yamlutils v0.26.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.28.0 // indirect
+	github.com/google/gnostic-models v0.7.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/gomega v1.36.2 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/onsi/gomega v1.39.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0 // indirect
-	go.opentelemetry.io/otel v1.41.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 // indirect
-	go.opentelemetry.io/otel/metric v1.41.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.41.0 // indirect
-	go.opentelemetry.io/otel/trace v1.41.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/goleak v1.3.1-0.20251210191316-2b7fd8a0d244 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 // indirect
-	golang.org/x/net v0.50.0 // indirect
-	golang.org/x/oauth2 v0.35.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/time v0.15.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260414002931-afd174a4e478 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260414002931-afd174a4e478 // indirect
 	google.golang.org/grpc v1.80.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.34.2 // indirect
-	k8s.io/apiserver v0.34.2 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
-	sigs.k8s.io/gateway-api v1.1.0 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/apiextensions-apiserver v0.35.4 // indirect
+	k8s.io/apiserver v0.35.4 // indirect
+	k8s.io/kube-openapi v0.0.0-20260414162039-ec9c827d403f // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect
+	sigs.k8s.io/gateway-api v1.5.1 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.4.0 // indirect
 )