Bump k8s.io/* to v1.35

[afritzler]

Summary by CodeRabbit

• Chores
  • Updated Kubernetes modules to v0.35.0 and controller-runtime to v0.23.0
  • Bumped golangci-lint to v2.8 and controller-tools to v0.20.0
  • Updated test infrastructure to use Kubernetes 1.35.0 binaries
• New Features
  • Added a validating webhook for BMC secrets
• Refactor
  • Streamlined webhook validation flows for clearer, strongly-typed handling
• Documentation
  • Updated API reference links and docs to Kubernetes v1.35 targets

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Tooling and dependency versions bumped, CRD metadata annotations regenerated, webhook validators migrated from runtime.Object to typed parameters, controllers switched some resource updates from Patch to Apply, probe functions simplified, a validating webhook for BMCSecret added, and test binary versions bumped to 1.35.0.

Changes

Cohort / File(s)	Summary
CI & Make /.github/workflows/lint.yml, Makefile	Bumped golangci-lint v2.5→v2.8 and controller-tools CONTROLLER_TOOLS_VERSION v0.19.0→v0.20.0; CI/Make targets updated accordingly.
Go modules go.mod	Upgraded Kubernetes modules to v0.35.0 and controller-runtime to v0.23.0; removed indirect gogo/protobuf reference.
CRD manifests config/crd/bases/...	Updated metadata annotations controller-gen.kubebuilder.io/version v0.19.0→v0.20.0 across CRD YAMLs; no schema changes.
Webhook manifests config/webhook/manifests.yaml	Added a new ValidatingWebhookConfiguration entry vbmcsecret-v1alpha1.kb.io for bmcsecrets (CREATE/UPDATE/DELETE).
Webhook validators internal/webhook/v1alpha1/...	Rewrote validators to accept strongly-typed *metalv1alpha1 objects (ValidateCreate/Update/Delete), removed runtime.Object casts/imports, updated Setup*WebhookWithManager to pass concrete types, added client to BMCSecret validator.
Controller changes internal/controller/bmc_controller.go, internal/controller/server_controller.go	Renamed handleAnnotionOperations→handleAnnotationOperations; switched resource updates from Patch/SetControllerReference to client Apply using applyconfigurations and WithOwnerReferences/ForceOwnership for DNS and secrets.
Probe simplifications internal/probe/*_darwin.go, internal/probe/system_info_darwin.go	Refactored functions to return slice literals directly and removed intermediate variables/log prints; behavior unchanged.
Tests & suites internal/*/suite_test.go, internal/cmd/move/move_test.go, internal/webhook/v1alpha1/bmcsecret_webhook_test.go	Bumped BinaryAssetsDirectory to Kubernetes 1.35.0; small test refactors (imports, slice construction, assertion style); updated bmcsecret test to set Immutable via async update.
Docs & api-reference docs/api-reference/api.md, hack/api-reference/config.yaml	Updated API reference links and render.kubernetesVersion from 1.34→1.35; doc link targets and templates updated to v1.35.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Refactor BIOSVersion webhook #575 — Similar webhook validator signature/type migration for BIOSVersion and related validation logic.
• Add BMCUser type and controller #368 — Related changes to BMCSecret webhook implementation and webhook manifest registration.

Suggested labels

api-change, size/XL

Suggested reviewers

• Nuckal777
• nagadeesh-nagaraja
• davidgrun

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely empty, lacking any explanation of the changes, their rationale, or testing performed.	Add a description following the template with proposed changes, any issues fixed, and relevant details about the Kubernetes 1.35 upgrade and its impact.
Docstring Coverage	⚠️ Warning	Docstring coverage is 47.06% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'Bump k8s.io/* to v1.35' accurately and concisely summarizes the main change: upgrading Kubernetes-related modules to version 1.35.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch enh/k8s-1.35

Tip

🧪 Unit Test Generation v2 is now available!

We have significantly improved our unit test generation capabilities.

To enable: Add this to your .coderabbit.yaml configuration:

reviews:
  finishing_touches:
    unit_tests:
      enabled: true

Try it out by using the @coderabbitai generate unit tests command on your code files or under ✨ Finishing Touches on the walkthrough!

Have feedback? Share your thoughts on our Discord thread!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@internal/controller/server_controller.go`:
- Around line 625-671: The OwnerReference construction using
bootConfig.APIVersion and bootConfig.Kind must be replaced with hardcoded values
to avoid SSA validation failures: create a single ownerRef (replace both
duplicated metav1apply.OwnerReference() blocks) that sets APIVersion to
"metal.ironcore.dev/v1alpha1" and Kind to "ServerBootConfiguration", keep the
WithName/WithUID/WithController/WithBlockOwnerDeletion calls as-is, and reuse
that ownerRef for both sshSecretApply and ignitionSecretApply to remove the
duplicated blocks.

In `@internal/webhook/v1alpha1/biossettings_webhook.go`:
- Around line 91-95: The error string mistakenly says "BMC" instead of "Server";
update the fmt.Errorf call that builds the duplicate reference message (the one
using settings.Spec.ServerRef.Name, settings.Name, bs.Spec.ServerRef.Name,
bs.Name) to refer to "Server" or "ServerRef" (e.g., "Server (%s) referred in %s
is duplicate of Server (%s) referred in %s") so the message correctly reflects
BIOSSettings' ServerRef usage.

🧹 Nitpick comments (2)

internal/webhook/v1alpha1/endpoint_webhook.go (1)

96-96: Inconsistent field path casing between create and update validations.

Line 96 uses "MACAddress" while Line 113 uses "macAddress". Consider aligning both to use consistent casing (typically macAddress to match JSON field naming conventions).

🔧 Suggested fix

 	for _, e := range endpoints.Items {
 		if e.Spec.MACAddress == spec.MACAddress {
-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("MACAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("macAddress"), e.Spec.MACAddress))
 		}
 	}

Also applies to: 113-113

internal/webhook/v1alpha1/bmcversion_webhook.go (1)

75-92: Redundant Get call - the object is already provided as parameter.

The ValidateDelete method fetches the BMCVersion via v.Client.Get(), but the admission request already provides the complete object in obj. This is unnecessary and could introduce race conditions if the object changes between the admission request and the Get call.

Other webhook files in this PR (e.g., biosversion_webhook.go, biossettings_webhook.go) directly use obj.Status.State without re-fetching.

♻️ Suggested simplification

 func (v *BMCVersionCustomValidator) ValidateDelete(ctx context.Context, obj *metalv1alpha1.BMCVersion) (admission.Warnings, error) {
 	bmcversionlog.Info("Validation for BMCVersion upon deletion", "name", obj.GetName())
 
-	bv := &metalv1alpha1.BMCVersion{}
-	err := v.Client.Get(ctx, client.ObjectKey{
-		Name:      obj.GetName(),
-		Namespace: obj.GetNamespace(),
-	}, bv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get BMCVersion: %w", err)
-	}
-
-	if bv.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
+	if obj.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
 		return nil, apierrors.NewBadRequest("Unable to delete BMCVersion as it is in progress")
 	}
 
 	return nil, nil
 }

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/webhook/v1alpha1/endpoint_webhook.go (1)

86-114: Keep MAC address error paths consistent across create/update.

The ValidateMACAddressCreate function reports spec.MACAddress (uppercase), while ValidateMACAddressUpdate reports spec.macAddress (lowercase). Additionally, both functions ignore the path parameter passed to them and create a new path instead. Use path.Child("macAddress") in both functions to maintain consistency and properly utilize the path context.

🔧 Proposed fix

-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("MACAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(path.Child("macAddress"), e.Spec.MACAddress))

-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("macAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(path.Child("macAddress"), e.Spec.MACAddress))

🤖 Fix all issues with AI agents

In `@docs/api-reference/api.md`:
- Around line 452-455: The table contains bare URLs (e.g., the RFC link in the
`data` row and the Kubernetes links in the `type` row) that trigger markdownlint
MD034; update those bare URLs to use Markdown autolinks (wrap each URL in angle
brackets, e.g. <https://...>) so they are recognized as links by the linter
while preserving the existing text and links for the `data` and `type` table
rows.

In `@internal/webhook/v1alpha1/bmcsettings_webhook.go`:
- Around line 64-66: The apierrors.NewInvalid call constructs schema.GroupKind
using mixed sources (newObj.GroupVersionKind().Group and oldObj.Kind); change it
so both Group and Kind come from the same object (use newObj). Replace the Kind
argument (oldObj.Kind) with newObj.GroupVersionKind().Kind (or newObj's
equivalent) in the schema.GroupKind constructor inside the return statement in
bmcsettings_webhook.go where NewInvalid is called.

🧹 Nitpick comments (1)

internal/webhook/v1alpha1/bmcversion_webhook.go (1)

78-89: Redundant API fetch in ValidateDelete.

The obj parameter already contains the BMCVersion being deleted. Re-fetching it from the API server (lines 78-85) is unnecessary, adds latency, and introduces a potential race condition if the object state changes between the admission request and the re-fetch.

Compare with bmcsettings_webhook.go which correctly uses obj directly:

if obj.Status.State == metalv1alpha1.BMCSettingsStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {

Proposed fix to use obj directly

 func (v *BMCVersionCustomValidator) ValidateDelete(ctx context.Context, obj *metalv1alpha1.BMCVersion) (admission.Warnings, error) {
 	bmcversionlog.Info("Validation for BMCVersion upon deletion", "name", obj.GetName())
 
-	bv := &metalv1alpha1.BMCVersion{}
-	err := v.Client.Get(ctx, client.ObjectKey{
-		Name:      obj.GetName(),
-		Namespace: obj.GetNamespace(),
-	}, bv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get BMCVersion: %w", err)
-	}
-
-	if bv.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
+	if obj.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
 		return nil, apierrors.NewBadRequest("Unable to delete BMCVersion as it is in progress")
 	}
 
 	return nil, nil
 }

[xkonni]

tried it, for once even the tests passed. looks good to me.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@Makefile`:
- Around line 274-279: The Makefile sets GOLANGCI_LINT_VERSION ?= v2.8 which may
be built with Go 1.24 and incompatible with the repo's Go 1.25; update
GOLANGCI_LINT_VERSION in the Makefile to a golangci-lint release built with Go
1.25 (or a known compatible version) or add a comment/verification step in the
Makefile/CI that confirms v2.8 is compatible; edit the GOLANGCI_LINT_VERSION
variable and any CI/install targets that consume it (search for
GOLANGCI_LINT_VERSION) to pin a compatible release or to perform an explicit
compatibility check.

🧹 Nitpick comments (3)

internal/webhook/v1alpha1/bmcversion_webhook.go (1)

75-92: Redundant Get call in ValidateDelete.

The obj parameter already contains the complete BMCVersion object being deleted, including its Status. The Get call on lines 78-85 re-fetches the same object, adding unnecessary latency. This also introduces a subtle inconsistency: bv.Status.State comes from the re-fetched object while ShouldAllowForceDeleteInProgress(obj) checks annotations on the original obj.

Compare with biosversion_webhook.go (lines 76-83) and biossettings_webhook.go (lines 75-83), which use obj.Status directly without re-fetching.

Proposed fix

 func (v *BMCVersionCustomValidator) ValidateDelete(ctx context.Context, obj *metalv1alpha1.BMCVersion) (admission.Warnings, error) {
 	bmcversionlog.Info("Validation for BMCVersion upon deletion", "name", obj.GetName())
 
-	bv := &metalv1alpha1.BMCVersion{}
-	err := v.Client.Get(ctx, client.ObjectKey{
-		Name:      obj.GetName(),
-		Namespace: obj.GetNamespace(),
-	}, bv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get BMCVersion: %w", err)
-	}
-
-	if bv.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
+	if obj.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
 		return nil, apierrors.NewBadRequest("Unable to delete BMCVersion as it is in progress")
 	}
 
 	return nil, nil
 }

internal/webhook/v1alpha1/endpoint_webhook.go (1)

94-98: Inconsistent field path casing between ValidateMACAddressCreate and ValidateMACAddressUpdate.

ValidateMACAddressCreate uses "MACAddress" (PascalCase) on line 96, while ValidateMACAddressUpdate uses "macAddress" (camelCase) on line 113. For consistency and alignment with Kubernetes JSON field naming conventions (typically camelCase), both should use the same casing.

Proposed fix

 	for _, e := range endpoints.Items {
 		if e.Spec.MACAddress == spec.MACAddress {
-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("MACAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("macAddress"), e.Spec.MACAddress))
 		}
 	}

Also applies to: 111-114

internal/webhook/v1alpha1/bmcsecret_webhook.go (1)

34-36: Unused Client field in validator struct.

The Client field is initialized via mgr.GetClient() but never used in any of the validation methods. If this is intentional for future expansion, consider adding a brief comment. Otherwise, consider removing it to avoid dead code.