Update kubebuilder scaffold v4.13.1 -> v4.14.0

[afritzler]

Proposed Changes

Update kubebuilder scaffold v4.13.1 -> v4.14.0.

Fixes #863

Summary by CodeRabbit

• Chores

  • Bumped build/tool versions (Go toolchain, Kubebuilder, cert-manager, golangci-lint) and updated related build/config.
  • Minor build invocation tweak and updated license/metadata path listings.
  • Startup logs now use lowercased controller/webhook identifiers and some reconcile registration order adjusted.

• Configuration

  • Exposed a health port (8081) on the controller-manager deployment.

• Documentation

  • Minor API docs wording fixes.

• Tests

  • Clarified e2e test steps with additional annotations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c73e24fb-012a-4308-af58-1623249b6711

📥 Commits

Reviewing files that changed from the base of the PR and between f39105c and b2e0e9f.

📒 Files selected for processing (15)

• .custom-gcl.yml
• .github/workflows/lint.yml
• Makefile
• PROJECT
• REUSE.toml
• api/v1alpha1/groupversion_info.go
• api/v1alpha1/zz_generated.deepcopy.go
• cmd/main.go
• config/manager/manager.yaml
• docs/api-reference/api.md
• go.mod
• internal/controller/bmcsettingsset_controller_test.go
• internal/webhook/v1alpha1/endpoint_webhook.go
• test/e2e/e2e_test.go
• test/utils/utils.go

💤 Files with no reviewable changes (2)

• internal/controller/bmcsettingsset_controller_test.go
• api/v1alpha1/zz_generated.deepcopy.go

✅ Files skipped from review due to trivial changes (9)

• api/v1alpha1/groupversion_info.go
• .custom-gcl.yml
• go.mod
• REUSE.toml
• PROJECT
• internal/webhook/v1alpha1/endpoint_webhook.go
• .github/workflows/lint.yml
• docs/api-reference/api.md
• test/e2e/e2e_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• test/utils/utils.go
• config/manager/manager.yaml
• cmd/main.go

---

📝 Walkthrough

Walkthrough

Upgrade Kubebuilder scaffold to v4.14.0 and harmonize related tooling (golangci-lint, Go), adjust controller/webhook setup logs and ordering, change controller-manager container ports, remove SPDX header from generated deepcopy, extend REUSE metadata, and update test helpers and cert-manager version.

Changes

Kubebuilder Scaffold Upgrade with Tooling Harmonization

Layer / File(s)	Summary
Build Configuration & Tooling Versions .custom-gcl.yml, .github/workflows/lint.yml, go.mod, Makefile, PROJECT	Updated versions: golangci-lint v2.8.0→v2.11.4, GitHub Action v2.10→v2.11, Go 1.25.6→1.25.7, KUBEBUILDER_VERSION v4.13.1→v4.14.0, PROJECT cliVersion 4.13.1→4.14.0.
Code Generation Invocation Makefile	generate target now calls controller-gen with object paths="./...", removing explicit object:headerFile="hack/boilerplate.go.txt".
Generated Files & Documentation api/v1alpha1/zz_generated.deepcopy.go, api/v1alpha1/groupversion_info.go, REUSE.toml, docs/api-reference/api.md	Removed SPDX header from generated deepcopy, added trailing period to package/docs comment, extended REUSE paths to include test YAML and generated deepcopy file.
Controller Setup & Webhook Wiring cmd/main.go	Standardized controller setup failure logs to use lowercase identifiers, adjusted server reconciler registration order, and refactored webhook registration into per-webhook ENABLE_WEBHOOKS gating with lowercase failure labels.
Deployment Configuration config/manager/manager.yaml	Manager container ports updated: removed empty ports: [], added named TCP health containerPort 8081.
Tests & Validation Enhancements internal/webhook/v1alpha1/endpoint_webhook.go, test/e2e/e2e_test.go, test/utils/utils.go, internal/controller/bmcsettingsset_controller_test.go	Endpoint webhook now assigns validation errors directly; E2E tests annotated with Ginkgo By(...) steps; cert-manager test version bumped to v1.20.2; minor test assertion context preserved.

Sequence Diagram(s)

sequenceDiagram
  participant Main
  participant EndpointReconciler
  participant BMCSecretReconciler
  participant ServerReconciler
  participant ServerBootConfigurationReconciler
  participant WebhookGate

  Main->>EndpointReconciler: SetupWithManager() (log controller=endpoint)
  Main->>BMCSecretReconciler: SetupWithManager() (log controller=bmcsecret)
  Main->>ServerReconciler: SetupWithManager() (log controller=server)
  Main->>ServerBootConfigurationReconciler: SetupWithManager() (log controller=serverbootconfiguration)
  Main->>WebhookGate: if ENABLE_WEBHOOKS != "false" then per-webhook setup
  WebhookGate->>WebhookGate: Setup webhook (on failure: log webhook=<lowercase> and exit)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ironcore-dev/metal-operator#721: Prior PR that updated scaffold/tooling versions including kubebuilder and golangci-lint.
• ironcore-dev/metal-operator#686: Earlier PR that modified .custom-gcl.yml and related startup/controller registration changes.

Suggested labels

size/L

Suggested reviewers

• asergeant01

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Out of Scope Changes check	❓ Inconclusive	While most changes align with the kubebuilder upgrade, several modifications appear to exceed the scope of a simple version bump, including controller-gen argument changes, MAC address validation refactoring, and E2E test annotations.	Clarify whether changes to controller-gen arguments, endpoint webhook validation logic, E2E test annotations, and cert-manager versions are intentional outcomes of the v4.14.0 upgrade or unrelated modifications.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the primary change: updating kubebuilder scaffold from v4.13.1 to v4.14.0, which matches the changeset's main objective.
Description check	✅ Passed	The description follows the template structure with proposed changes listed and a reference to the linked issue (#863), providing sufficient context for the upgrade.
Linked Issues check	✅ Passed	The PR successfully addresses issue #863 by upgrading kubebuilder scaffold from v4.13.1 to v4.14.0 across all relevant files (Makefile, PROJECT, .custom-gcl.yml, .github/workflows/lint.yml, and dependencies), and includes the post-upgrade commands as suggested.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch kubebuilder-update-from-v4.13.1-to-v4.14.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[afritzler]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/webhook/v1alpha1/endpoint_webhook.go (1)

46-64: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Update logging to use request context instead of package-scoped logger

The ValidateCreate and ValidateUpdate methods receive a ctx parameter but log via a package-scoped logger. Per the coding guidelines for this file path, use context-derived logging to preserve request-scoped fields.

♻️ Suggested change

 func (v *EndpointCustomValidator) ValidateCreate(ctx context.Context, obj *metalv1alpha1.Endpoint) (admission.Warnings, error) {
-	endpointlog.Info("Validation for Endpoint upon creation", "name", obj.GetName())
+	log := logf.FromContext(ctx).WithName("endpoint-resource")
+	log.Info("Validation for Endpoint upon creation", "name", obj.GetName())

 	allErrs := ValidateMACAddressCreate(ctx, v.Client, obj.Spec, field.NewPath("spec"))
@@
 func (v *EndpointCustomValidator) ValidateUpdate(ctx context.Context, oldObj, newObj *metalv1alpha1.Endpoint) (admission.Warnings, error) {
-	endpointlog.Info("Validation for Endpoint upon update", "name", newObj.GetName())
+	log := logf.FromContext(ctx).WithName("endpoint-resource")
+	log.Info("Validation for Endpoint upon update", "name", newObj.GetName())

 	allErrs := ValidateMACAddressUpdate(ctx, v.Client, newObj, field.NewPath("spec"))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/webhook/v1alpha1/endpoint_webhook.go` around lines 46 - 64, The
package-scoped logger (endpointlog) is being used in ValidateCreate and
ValidateUpdate instead of a request-scoped logger from the context; change the
logging calls in EndpointCustomValidator's ValidateCreate and ValidateUpdate to
use log.FromContext(ctx).Info (importing sigs.k8s.io/controller-runtime/pkg/log
if not already) so request-scoped fields in ctx are preserved when logging;
update any Info calls that reference endpointlog to use the context-derived
logger and keep message/key pairs the same.

🧹 Nitpick comments (1)

cmd/main.go (1)

631-678: ⚡ Quick win

Consolidate webhook enable checks to avoid duplication

The repeated os.Getenv("ENABLE_WEBHOOKS") != "false" guard is duplicated across each webhook registration block. Caching once and wrapping all setups in a single conditional keeps behavior identical and reduces drift risk.

♻️ Suggested change

-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+	enableWebhooks := os.Getenv("ENABLE_WEBHOOKS") != "false"
+	if enableWebhooks {
 		if err := webhookv1alpha1.SetupEndpointWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "endpoint")
 			os.Exit(1)
 		}
-	}
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		if err := webhookv1alpha1.SetupBMCSecretWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "bmcsecret")
 			os.Exit(1)
 		}
-	}
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		if err := webhookv1alpha1.SetupServerWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "server")
 			os.Exit(1)
 		}
-	}
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		if err := webhookv1alpha1.SetupBIOSSettingsWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "biossettings")
 			os.Exit(1)
 		}
-	}
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		if err := webhookv1alpha1.SetupBIOSVersionWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "biosversion")
 			os.Exit(1)
 		}
-	}
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		if err := webhookv1alpha1.SetupBMCSettingsWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "bmcsettings")
 			os.Exit(1)
 		}
-	}
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		if err := webhookv1alpha1.SetupBMCVersionWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "Failed to create webhook", "webhook", "bmcversion")
 			os.Exit(1)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/main.go` around lines 631 - 678, Cache the ENABLE_WEBHOOKS env value once
(e.g. enableWebhooks := os.Getenv("ENABLE_WEBHOOKS") != "false") and wrap all
webhook setup calls in a single if enableWebhooks { ... } block to avoid
repeating the guard; move the calls to
webhookv1alpha1.SetupEndpointWebhookWithManager(mgr),
SetupBMCSecretWebhookWithManager(mgr), SetupServerWebhookWithManager(mgr),
SetupBIOSSettingsWebhookWithManager(mgr),
SetupBIOSVersionWebhookWithManager(mgr), SetupBMCSettingsWebhookWithManager(mgr)
and SetupBMCVersionWebhookWithManager(mgr) inside that block and retain the
existing error handling using setupLog.Error(...) and os.Exit(1) for each setup
call.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/v1alpha1/groupversion_info.go`:
- Line 4: Update the package comment in groupversion_info.go to use the
canonical API group/version name used by this package
(metal.ironcore.dev/v1alpha1) instead of the current text "metal v1alpha1";
locate the package comment at the top of the file associated with package
v1alpha1 and replace the description so it references
"metal.ironcore.dev/v1alpha1" (or "metal.ironcore.dev v1alpha1") to match the
registered group/version used by this package and its generated docs.

---

Outside diff comments:
In `@internal/webhook/v1alpha1/endpoint_webhook.go`:
- Around line 46-64: The package-scoped logger (endpointlog) is being used in
ValidateCreate and ValidateUpdate instead of a request-scoped logger from the
context; change the logging calls in EndpointCustomValidator's ValidateCreate
and ValidateUpdate to use log.FromContext(ctx).Info (importing
sigs.k8s.io/controller-runtime/pkg/log if not already) so request-scoped fields
in ctx are preserved when logging; update any Info calls that reference
endpointlog to use the context-derived logger and keep message/key pairs the
same.

---

Nitpick comments:
In `@cmd/main.go`:
- Around line 631-678: Cache the ENABLE_WEBHOOKS env value once (e.g.
enableWebhooks := os.Getenv("ENABLE_WEBHOOKS") != "false") and wrap all webhook
setup calls in a single if enableWebhooks { ... } block to avoid repeating the
guard; move the calls to webhookv1alpha1.SetupEndpointWebhookWithManager(mgr),
SetupBMCSecretWebhookWithManager(mgr), SetupServerWebhookWithManager(mgr),
SetupBIOSSettingsWebhookWithManager(mgr),
SetupBIOSVersionWebhookWithManager(mgr), SetupBMCSettingsWebhookWithManager(mgr)
and SetupBMCVersionWebhookWithManager(mgr) inside that block and retain the
existing error handling using setupLog.Error(...) and os.Exit(1) for each setup
call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: da0460d1-d246-4c06-84b9-2a447740589d

📥 Commits

Reviewing files that changed from the base of the PR and between 70aa1c0 and f39105c.

📒 Files selected for processing (15)

• .custom-gcl.yml
• .github/workflows/lint.yml
• Makefile
• PROJECT
• REUSE.toml
• api/v1alpha1/groupversion_info.go
• api/v1alpha1/zz_generated.deepcopy.go
• cmd/main.go
• config/manager/manager.yaml
• docs/api-reference/api.md
• go.mod
• internal/controller/bmcsettingsset_controller_test.go
• internal/webhook/v1alpha1/endpoint_webhook.go
• test/e2e/e2e_test.go
• test/utils/utils.go

💤 Files with no reviewable changes (2)

• internal/controller/bmcsettingsset_controller_test.go
• api/v1alpha1/zz_generated.deepcopy.go

[afritzler]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.