rustrial
diff --git a/‎.github/install-cr.sh
Lines changed: 1 addition & 1 deletion b/‎.github/install-cr.sh
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/build.yaml
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/build.yaml
Lines changed: 7 additions & 7 deletions
diff --git a/‎.github/workflows/publish.yml
Lines changed: 10 additions & 11 deletions b/‎.github/workflows/publish.yml
Lines changed: 10 additions & 11 deletions
diff --git a/‎Dockerfile
Lines changed: 1 addition & 1 deletion b/‎Dockerfile
Lines changed: 1 addition & 1 deletion
diff --git a/‎Makefile
Lines changed: 3 additions & 3 deletions b/‎Makefile
Lines changed: 3 additions & 3 deletions
diff --git a/‎api/secrets/v1beta1/zz_generated.deepcopy.go
Lines changed: 4 additions & 3 deletions b/‎api/secrets/v1beta1/zz_generated.deepcopy.go
Lines changed: 4 additions & 3 deletions
diff --git a/‎cmd/main.go
Lines changed: 14 additions & 7 deletions b/‎cmd/main.go
Lines changed: 14 additions & 7 deletions
diff --git a/‎cmd/seals/cmd/aws-kms.go
Lines changed: 3 additions & 3 deletions b/‎cmd/seals/cmd/aws-kms.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎config/crd/bases/secrets.rustrial.org_keyencryptionkeypolicies.yaml
Lines changed: 24 additions & 14 deletions b/‎config/crd/bases/secrets.rustrial.org_keyencryptionkeypolicies.yaml
Lines changed: 24 additions & 14 deletions
@@ -2,7 +2,7 @@
 
 set -e
 
-version=v1.1.1
+version=v1.5.0
 curl -sSLo /tmp/cr.tar.gz "https://github.com/helm/chart-releaser/releases/download/$version/chart-releaser_${version#v}_linux_amd64.tar.gz"
 tar -xzvf /tmp/cr.tar.gz -C "/tmp"
 rm -f /tmp/cr.tar.gz
 
@@ -24,29 +24,29 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.20.x
+          go-version: 1.22.x
       - name: Setup Kubernetes
         uses: helm/[email protected]
         with:
-          version: "v0.20.0" # https://github.com/kubernetes-sigs/kind/releases
-          node_image: "kindest/node:v1.26.6"
+          version: "v0.22.0" # https://github.com/kubernetes-sigs/kind/releases
+          node_image: "kindest/node:v1.29.2"
           cluster_name: kind
       - name: Setup Helm
         uses: fluxcd/pkg/actions/helm@main
         with:
-          version: "3.12.1"
+          version: "v3.14.4"
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
         with:
-          version: "5.1.0"
+          version: "5.3.0"
       - name: Setup Kubebuilder
         uses: RyanSiu1995/[email protected]
         with:
-          version: "3.11.0"
+          version: "3.14.2"
       - name: Setup Kubectl
         uses: fluxcd/pkg/actions/kubectl@main
         with:
-          version: "1.26.6"
+          version: "1.29.2"
       - name: Run tests
         run: make test
         env:
 
@@ -52,11 +52,10 @@ jobs:
     strategy:
       matrix:
         k8s: # Must be available from https://github.com/kubernetes-sigs/kind/releases
-          - v1.23.17
-          - v1.24.15
-          - v1.25.11
-          - v1.26.6
-          - v1.27.3
+          - v1.26.14
+          - v1.27.11
+          - v1.28.7
+          - v1.29.2
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -65,13 +64,13 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v1
         with:
-          version: "v3.12.1"
+          version: "v3.14.4"
       - name: Run chart-testing (lint)
         run: (cd charts/k8s-gitops-secrets-controller && helm lint .)
       - name: Create kind ${{ matrix.k8s }} cluster
-        uses: helm/kind-action@v1.5.0
+        uses: helm/kind-action@v1.10.0
         with:
-          version: "v0.20.0" # https://github.com/kubernetes-sigs/kind/releases
+          version: "v0.22.0" # https://github.com/kubernetes-sigs/kind/releases
           node_image: kindest/node:${{ matrix.k8s }}
       - name: Install chart
         run: (cd charts/k8s-gitops-secrets-controller && helm install k8s-gitops-secrets-controller . -n k8s-gitops-secrets-system --create-namespace --wait --set fullnameOverride=k8s-gitops-secrets-controller-manager --set-string image.tag=${{env.VERSION}})
@@ -90,7 +89,7 @@ jobs:
           fetch-depth: 0
       - name: "✏️ Generate release changelog"
         id: generate-release-changelog
-        uses: heinrichreimer/github-changelog-generator-action@v2.1.1
+        uses: heinrichreimer/github-changelog-generator-action@v2.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           #onlyLastTag: "true"
@@ -106,7 +105,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.20.x
+          go-version: 1.22.x
       - name: Build seals CLI
         run: make cli
       - name: Extract TAG_NAME from GITHUB_REF
@@ -195,7 +194,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v1
         with:
-          version: v3.12.1
+          version: v3.14.4
       - name: Install CR
         run: .github/install-cr.sh
       - name: Update Helm Chart versions
 
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20 as builder
+FROM golang:1.22 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
 
@@ -2,7 +2,7 @@
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.27.1
+ENVTEST_K8S_VERSION = 1.29.2
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -152,8 +152,8 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.0.1
-CONTROLLER_TOOLS_VERSION ?= v0.12.0
+KUSTOMIZE_VERSION ?= v5.3.0
+CONTROLLER_TOOLS_VERSION ?= v0.15.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
 
@@ -20,7 +20,6 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -40,6 +39,8 @@ import (
 	secretscontroller "github.com/rustrial/k8s-gitops-secrets/internal/controller/secrets"
 	"github.com/rustrial/k8s-gitops-secrets/internal/providers"
 	awsProvider "github.com/rustrial/k8s-gitops-secrets/internal/providers/aws"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -80,11 +81,17 @@ func main() {
 		os.Exit(1)
 	}
 
+	cacheConfig := cache.Options{}
+	if namespace != "" {
+		cacheConfig.DefaultNamespaces[namespace] = cache.Config{}
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                 scheme,
-		Namespace:              namespace,
-		MetricsBindAddress:     metricsAddr,
-		Port:                   9443,
+		Scheme: scheme,
+		Cache:  cacheConfig,
+		Metrics: metricsserver.Options{
+			BindAddress: metricsAddr,
+		},
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "e6233917cd37-controller-secrets-rustrial-org",
@@ -156,12 +163,12 @@ func getControllerNamespace() (string, error) {
 		return strings.TrimSpace(ns), nil
 	}
 	// Fall back to the namespace associated with the service account token, if available
-	data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	data, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 	if err != nil {
 		return "", err
 	}
 	if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
 		return ns, nil
 	}
-	return "", fmt.Errorf("Failed to determine current namespace")
+	return "", fmt.Errorf("failed to determine current namespace")
 }
@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -37,7 +37,7 @@ var encrypt = &cobra.Command{
 			os.Exit(1)
 		}
 		provider := awsProvider.NewKmsProvider(cfg)
-		plainText, err := ioutil.ReadAll(os.Stdin)
+		plainText, err := io.ReadAll(os.Stdin)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Error while reading plain text data from STDIN: %s\n", err)
 			os.Exit(1)
@@ -52,7 +52,7 @@ var encrypt = &cobra.Command{
 					fmt.Fprintf(os.Stderr, "Error while decrypting plaintext data: %s\n", err)
 					os.Exit(1)
 				}
-				if bytes.Compare(pt, plainText) != 0 {
+				if !bytes.Equal(pt, plainText) {
 					fmt.Fprintf(os.Stderr, "Decrypting plaintext does not match the input plaintext\n")
 					os.Exit(1)
 				}
 
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: keyencryptionkeypolicies.secrets.rustrial.org
 spec:
   group: secrets.rustrial.org
@@ -21,30 +21,40 @@ spec:
           API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
             description: KeyEncryptionKeyPolicySpec defines the desired state of KeyEncryptionKeyPolicy
             properties:
               keyEncryptionKeyId:
-                description: "KeyEncryptionKeyId is the provider specific unique ID
-                  of the Key Encryption Key (KEK) use to encrypt/decrypt the Data
-                  Encryption Key (DEK). \n This ID must uniquely identify the KEK
-                  and provider and is used in authorization rules to decide which
-                  namespaces can access which KEKs."
+                description: |-
+                  KeyEncryptionKeyId is the provider specific unique ID of
+                  the Key Encryption Key (KEK) use to encrypt/decrypt the
+                  Data Encryption Key (DEK).
+
+
+                  This ID must uniquely identify the KEK and provider and
+                  is used in authorization rules to decide which namespaces
+                  can access which KEKs.
                 type: string
               namespaces:
-                description: White-list of namespaces, which are entitled to use this
-                  KEK to decrypt DataEncrpytionKeys.
+                description: |-
+                  White-list of namespaces, which are entitled to use this KEK
+                  to decrypt DataEncrpytionKeys.
                 items:
                   type: string
                 type: array