Merge upstream changes

.github/renovate.json

@@ -0,0 +1,32 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:recommended",
+        "helpers:pinGitHubActionDigests",
+        "schedule:weekly"
+    ],
+    "postUpdateOptions": [
+        "gomodTidy"
+    ],
+    "branchPrefix": "grafanarenovatebot/",
+    "platformCommit": true,
+    "dependencyDashboard": false,
+    "rebaseWhen": "behind-base-branch",
+    "packageRules": [
+         {
+             "description": "Group all go dependencies together to reduce noise",
+             "matchDatasources": ["go"],
+             "groupName": "go dependencies"
+         },
+         {
+             "description": "Disable Docker updates",
+             "matchManagers": ["dockerfile"],
+             "enabled": false
+         }
+     ],
+     "separateMajorMinor": false,
+     "vulnerabilityAlerts": {
+         "enabled": true
+     },
+    "osvVulnerabilityAlerts": true
+}

.github/workflows/ci.yaml

@@ -3,59 +3,73 @@ on:
   push:
     branches: [main]
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
-          go-version: '1.23'
+          persist-credentials: false
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version: '1.24'
           check-latest: true
       - run: make rollout-operator
 
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
-          go-version: '1.23'
+          go-version: '1.24'
           check-latest: true
       - run: make test
       - run: make test-boringcrypto
 
   integration:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
-          go-version: '1.23'
+          persist-credentials: false
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version: '1.24'
           check-latest: true
       - run: make build-image
       - run: make integration
 
   integration-boringcrypto:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
-          go-version: '1.23'
+          go-version: '1.24'
           check-latest: true
       - run: make build-image-boringcrypto
       - run: make integration
 
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
-          go-version: '1.23'
+          go-version: '1.24'
           check-latest: true
-      - uses: golangci/golangci-lint-action@v6
+      - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
         with:
-          version: v1.60.1
+          version: v2.1.6
           args: --timeout=5m

.github/workflows/renovate.yml

@@ -0,0 +1,47 @@
+name: Renovate
+on:
+  schedule:
+    # Every 12 hours, offset by 22 minutes to avoid busy times
+    - cron: "22 */12 * * *"
+  # Allow manually triggering
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: retrieve secrets
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@7d18a46aafb8b875ed76a0bc98852d74b91e7f91 # v1.0.0
+        with:
+          common_secrets: |
+            GRAFANA_RENOVATE_APP_ID=grafana-renovate-app:app-id
+            GRAFANA_RENOVATE_PRIVATE_KEY=grafana-renovate-app:private-key
+
+      - name: Create GitHub app token
+        id: app-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
+        with:
+          app-id: ${{ env.GRAFANA_RENOVATE_APP_ID }}
+          private-key: ${{ env.GRAFANA_RENOVATE_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@bdfd950c25796ebf1aa0c127ad55b69a14b04f69 # v43.0.3
+        with:
+          renovate-version: 40.58.0
+          token: "${{ steps.app-token.outputs.token }}"
+        env:
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}
+          RENOVATE_USERNAME: GrafanaRenovateBot

.golangci.yaml

@@ -1,24 +1,29 @@
+version: "2"
 run:
   build-tags:
     - requires_docker
-
 linters:
+  settings:
+    errcheck:
+      # Use exclude-functions instead of exclude, since the GitHub Action's caching is broken.
+      # When changing the file referenced by exclude, the GitHub Action may use an older cache
+      # entry and ignore the changes in said file (thus breaking CI).
+      exclude-functions:
+        - (github.com/go-kit/log.Logger).Log
+  exclusions:
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+formatters:
   enable:
     - gci
     - gofmt
-
-linters-settings:
-  errcheck:
-    # Use exclude-functions instead of exclude, since the GitHub Action's caching is broken.
-    # When changing the file referenced by exclude, the GitHub Action may use an older cache
-    # entry and ignore the changes in said file (thus breaking CI).
-    exclude-functions:
-      - (github.com/go-kit/log.Logger).Log
-
-  gci:
-    skip-generated: true
-    custom-order: true
-    sections:
-      - standard
-      - default
-      - prefix(github.com/grafana/rollout-operator)
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/grafana/rollout-operator)
+      custom-order: true

CHANGELOG.md

@@ -2,6 +2,88 @@
 
 ## main / unreleased
 
+* [CHANGE] Rename flag `server.cluster-validation.http.exclude-paths` to `server.cluster-validation.http.excluded-paths` to align with `dskit`. #247
+* [ENHANCEMENT] Updated dependencies, including: #236 #238 #242 #247
+  * `github.com/prometheus/common` from `v0.64.0` to `v0.65.0`
+  * `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` from `v0.60.0` to `v0.62.0`
+  * `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from `v0.60.0` to `v0.62.0`
+  * `go.opentelemetry.io/otel` from `v1.36.0` to `v1.37.0`
+  * `go.opentelemetry.io/otel/trace` from `v1.36.0` to `v1.37.0`
+  * `golang.org/x/sync` from `v0.15.0` to `v0.16.0`
+  * `k8s.io/api` from `v0.33.1` to `v0.33.3`
+  * `k8s.io/apimachinery` from `v0.33.1` to `v0.33.3`
+  * `k8s.io/client-go` from `v0.33.1` to `v0.33.3`
+* [BUGFIX] Always configure HTTP client with a timeout. #240
+
+## v0.28.0
+
+* [ENHANCEMENT] Updated dependencies, including: #227 #231
+  * `golang.org/x/sync` from `v0.14.0` to `v0.15.0`
+  * `sigs.k8s.io/controller-runtime` from `v0.20.4` to `v0.21.0`
+* [ENHANCEMENT] Migrate to OpenTelemetry tracing library, removing the dependency on OpenTracing. You can now configure tracing using the standard `OTEL_` [environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/#batch-span-processor). Previous configurations using `JAEGER_` environment variables will still work, but are deprecated. #234
+
+## v0.27.0
+
+* [CHANGE] Rename metric `rollout_operator_request_invalid_cluster_validation_labels_total` to `rollout_operator_client_invalid_cluster_validation_label_requests_total`. #217
+* [ENHANCEMENT] Add metric `rollout_operator_server_invalid_cluster_validation_label_requests_total`. #223
+* [ENHANCEMENT] Updated dependencies, including: #223 #224
+  * `github.com/prometheus/client_golang` from `v1.21.1` to `v1.22.0`
+  * `github.com/prometheus/common` from `v0.63.0` to `v0.64.0`
+  * `golang.org/x/sync` from `v0.12.0` to `v0.14.0`
+  * `k8s.io/api` from `v0.32.3` to `v0.33.1`
+  * `k8s.io/apimachinery` from `v0.32.3` to `v0.33.1`
+  * `k8s.io/client-go` from `v0.32.3` to `v0.33.1`
+* [BUGFIX] Use a StatefulSet's `.spec.serviceName` when constructing the prepare-downscale endpoint for a pod. #221
+
+## v0.26.0
+
+* [FEATURE] Add cross-cluster traffic protection. #195b
+  * Controlled through the flags `-server.cluster-validation.http.enabled`, `-server.cluster-validation.http.soft-validation`, `-server.cluster-validation.http.exclude-paths`.
+  * Rejected requests can be monitored via the metric `rollout_operator_request_invalid_cluster_validation_labels_total`.
+
+## v0.25.0
+
+* [ENHANCEMENT] Updated dependencies, including: #203
+  * `github.com/prometheus/client_golang` from `v1.20.5` to `v1.21.1`
+  * `github.com/prometheus/common` from `v0.62.0` to `v0.63.0`
+  * `golang.org/x/sync` from `v0.11.0` to `v0.12.0`
+  * `k8s.io/api` from `v0.32.1` to `v0.32.3`
+  * `k8s.io/apimachinery` from `v0.32.1` to `v0.32.3`
+  * `k8s.io/client-go` from `v0.32.1` to `v0.32.3`
+  * `sigs.k8s.io/controller-runtime` from `v0.20.1` to `v0.20.4`
+
+## v0.24.0
+
+* [ENHANCEMENT] Update Go to `1.24` #196
+* [ENHANCEMENT] Updated dependencies, including: #197
+  * `github.com/prometheus/common` from `v0.61.0` to `v0.62.0`
+  * `golang.org/x/sync` from `v0.10.0` to `v0.11.0`
+  * `k8s.io/api` from `v0.32.0` to `v0.32.1`
+  * `k8s.io/apimachinery` from `v0.32.0` to `v0.32.1`
+  * `k8s.io/client-go` from `v0.32.0` to `v0.32.1`
+  * `sigs.k8s.io/controller-runtime` from `v0.19.3` to `v0.20.1`
+
+## v0.23.0
+
+* [ENHANCEMENT] Make timeout for requests to Pods and to the Kubernetes control plane configurable. #188
+* [ENHANCEMENT] Updated dependencies, including: #189 #191
+  * `github.com/prometheus/client_golang` from `v1.20.4` to `v1.20.5`
+  * `github.com/prometheus/common` from `v0.59.1` to `v0.61.0`
+  * `k8s.io/api` from `v0.31.1` to `v0.32.0`
+  * `k8s.io/apimachinery` from `v0.31.1` to `v0.32.0`
+  * `k8s.io/client-go` from `v0.31.1` to `v0.32.0`
+  * `sigs.k8s.io/controller-runtime` from `v0.19.0` to `v0.19.3`
+  * `golang.org/x/net` from `v0.28.0` to `v0.33.0`
+
+## v0.22.0
+
+* [ENHANCEMENT] New parameter log.format allows to set logging format to logfmt (default) or json (new). #184
+* [ENHANCEMENT] Add a 5 minute timeout to requests to Pods and to the Kubernetes control plane. #186
+
+## v0.21.0
+
+* [ENHANCEMENT] Log debug information about StatefulSets as they are created, updated and deleted. #182
+
 ## v0.20.1
 
 * [BUGFIX] Improved handling of URL ports in `createPrepareDownscaleEndpoints` function. The function now correctly preserves the port when replacing the host in the URL. #176

Dockerfile

@@ -1,6 +1,6 @@
-ARG BASEIMAGE
+ARG BASEIMAGE=gcr.io/distroless/static-debian12:nonroot
 
-FROM golang:1.23-bookworm AS build
+FROM golang:1.24-bookworm AS build
 
 ARG TARGETOS
 ARG TARGETARCH

Makefile

@@ -15,7 +15,6 @@ GOARCH ?= $(shell go env GOARCH)
 DONT_FIND := -name vendor -prune -o -name .git -prune -o -name .cache -prune -o -name .pkg -prune
 GO_FILES := $(shell find . $(DONT_FIND) -o -type f -name '*.go' -print)
 
-BASE_IMAGE=gcr.io/distroless/static-debian12:nonroot
 # Boringcrypto has a different base image for glibc
 BORINGCRYPTO_BASE_IMAGE=gcr.io/distroless/base-nossl-debian12:nonroot
 
@@ -35,7 +34,7 @@ rollout-operator-boringcrypto: $(GO_FILES) ## Build the rollout-operator binary
 
 .PHONY: build-image
 build-image: clean ## Build the rollout-operator image
-	docker buildx build --load --platform linux/amd64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BASE_IMAGE) -t rollout-operator:latest -t rollout-operator:$(IMAGE_TAG) .
+	docker buildx build --load --platform linux/amd64 --build-arg revision=$(GIT_REVISION) -t rollout-operator:latest -t rollout-operator:$(IMAGE_TAG) .
 
 .PHONY: build-image-boringcrypto
 build-image-boringcrypto: clean ## Build the rollout-operator image with boringcrypto
@@ -47,12 +46,17 @@ publish-images: publish-standard-image publish-boringcrypto-image ## Build and p
 
 .PHONY: publish-standard-image
 publish-standard-image: clean ## Build and publish only the standard rollout-operator image
-	docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BASE_IMAGE) --build-arg BUILDTARGET=rollout-operator -t $(IMAGE_PREFIX)/rollout-operator:$(IMAGE_TAG) .
+	docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) -t $(IMAGE_PREFIX)/rollout-operator:$(IMAGE_TAG) .
 
 .PHONY: publish-boringcrypto-image
 publish-boringcrypto-image: clean ## Build and publish only the boring-crypto rollout-operator image
 	docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg revision=$(GIT_REVISION) --build-arg BASEIMAGE=$(BORINGCRYPTO_BASE_IMAGE) --build-arg BUILDTARGET=rollout-operator-boringcrypto -t $(IMAGE_PREFIX)/rollout-operator-boringcrypto:$(IMAGE_TAG) .
 
+.PHONY: release-notes 
+release-notes: ## Generate the release notes for a GitHub release
+	@echo "Docker images: \`${IMAGE_PREFIX}/rollout-operator:${IMAGE_TAG}\` and \`${IMAGE_PREFIX}/rollout-operator-boringcrypto:${IMAGE_TAG}\`\n\n## Changelog"
+	@awk -v var="${IMAGE_TAG}" '$$0 ~ "## "var {flag=1; next} /^##/{flag=0} flag' CHANGELOG.md
+
 .PHONY: test
 test: ## Run tests
 	go test ./...

RELEASE.md

@@ -2,16 +2,20 @@
 
 1. Update `CHANGELOG.md`
   - Open PR and get it merged
-1. Create a new tag that follows semantic versioning:
+2. Create a new tag that follows semantic versioning:
     ```bash
     $ tag=v0.1.0
     $ git tag -s "${tag}" -m "${tag}"
     $ git push origin "${tag}"
     ```
-1. Publish the updated Docker image
+3. Publish the updated Docker image
     ```bash
     $ IMAGE_TAG="${tag}" make publish-images
     ```
-1. Update Helm Chart
+4. Create a new GitHub release [here](https://github.com/grafana/rollout-operator/releases/new) based on the tag. The release notes can be generated with:
+    ```bash
+    $ IMAGE_TAG="${tag}" make release-notes
+    ```
+5. Update the Helm Chart
   - Repository https://github.com/grafana/helm-charts/tree/main/charts/rollout-operator
-  - [Example PR](https://github.com/grafana/helm-charts/pull/3177/files)
+  - [Example PR](https://github.com/grafana/helm-charts/pull/3177/files)