Prepare release 2.10.1

[joelsmith]

This PR adds support for features added in the operands in 2.10.x and makes all necessary changes to be ready for the 2.10.1 release, specifically:

• Move ServiceMonitor and PodMonitor objects to separate resource file Because the release process overwrites the keda.yaml file, we need resources which are introduced in this repo to live in a separate file so that they won't be overwritten and lost each time the the release happens.
• Use version sort when deciding which manifests to diff As this is the first 2.10.x release, we noticed that the manifest diff was looking at the wrong change set.
• Add GRPC certs volume for metrics server to match operand The metrics server now makes a GRPC connection to the main KEDA controller, so it needs access to the certificates used for that connection
• Add admission webhooks support 2.10.X adds a new controller and a deployment to run it. The operator now supports deploying it
• Prepare release 2.10.1 All release process items to do the 2.10.1 release

Checklist

• [X] Commits are signed with Developer Certificate of Origin (DCO)

[joelsmith]

It appears that there are some changes in the operand repo's manifests which need to be taken into account here:

• The keda-operator seems to want to create a secret with certs in it and requires the following (or equivalent privs):

  
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
  name: foo
  namespace: keda
  rules:

• apiGroups:
  • "" resources:
  • secrets verbs:
  • create
  • get

  • update

    apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: foo namespace: keda roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: foo subjects:

• kind: ServiceAccount name: keda-operator namespace: keda

• It appears that the olm operator is trying to inject a /certs volume into the metrics server deployment, but it seems that the new version of the deployment already has that volume and the two are conflicting.

[zroubalik]

It appears that there are some changes in the operand repo's manifests which need to be taken into account here:

* The `keda-operator` seems to want to create a secret with certs in it and requires the following (or equivalent privs):

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: foo
  namespace: keda
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: foo
  namespace: keda
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: foo
subjects:
- kind: ServiceAccount
  name: keda-operator
  namespace: keda

* It appears that the olm operator is trying to inject a `/certs` volume into the metrics server deployment, but it seems that the new version of the deployment already has that volume and the two are conflicting.

you are right, this is a new change introduced in 2.10 upstream

[gauron99]

thx for the ping. I see what it is. its because "2.10" is alphabetically not following "2.9". I made the script to compare the 2 last dirs but I think Im gonna have to parse the number and then take 2 last ones. Ill make a fix

[jrvaldes]

thx for the ping. I see what it is. its because "2.10" is alphabetically not following "2.9". I made the script to compare the 2 last dirs but I think Im gonna have to parse the number and then take 2 last ones. Ill make a fix

@gauron99 could we leverage any existing library/tool to compare sem versions?

[github-actions[bot]]

Diff 2.9.3/manifests/keda.sh_scaledjobs.yaml \& 2.8.2/manifests/keda.sh_scaledjobs.yaml

```diff 5c5 < controller-gen.kubebuilder.io/version: v0.9.0 --- > controller-gen.kubebuilder.io/version: v0.10.0 9c9 < app.kubernetes.io/version: 2.8.2 --- > app.kubernetes.io/version: 2.9.3 22a23,25 > - jsonPath: .spec.minReplicaCount > name: Min > type: integer 129a133,254 > podFailurePolicy: > description: "Specifies the policy of handling failed pods. In > particular, it allows to specify the set of actions and conditions > which need to be satisfied to take the associated action. If > empty, the default behaviour applies - the counter of failed > pods, represented by the jobs's .status.failed field, is incremented > and it is checked against the backoffLimit. This field cannot > be used in combination with restartPolicy=OnFailure. \n This > field is alpha-level. To use this field, you must enable the > `JobPodFailurePolicy` feature gate (disabled by default)." > properties: > rules: > description: A list of pod failure policy rules. The rules > are evaluated in order. Once a rule matches a Pod failure, > the remaining of the rules are ignored. When no rule matches > the Pod failure, the default handling applies - the counter > of pod failures is incremented and it is checked against > the backoffLimit. At most 20 elements are allowed. > items: > description: PodFailurePolicyRule describes how a pod failure > is handled when the requirements are met. One of OnExitCodes > and onPodConditions, but not both, can be used in each > rule. > properties: > action: > description: 'Specifies the action taken on a pod failure > when the requirements are satisfied. Possible values > are: - FailJob: indicates that the pod''s job is marked > as Failed and all running pods are terminated. - Ignore: > indicates that the counter towards the .backoffLimit > is not incremented and a replacement pod is created. > - Count: indicates that the pod is handled in the > default way - the counter towards the .backoffLimit > is incremented. Additional values are considered to > be added in the future. Clients should react to an > unknown action by skipping the rule.' > type: string > onExitCodes: > description: Represents the requirement on the container > exit codes. > properties: > containerName: > description: Restricts the check for exit codes > to the container with the specified name. When > null, the rule applies to all containers. When > specified, it should match one the container or > initContainer names in the pod template. > type: string > operator: > description: 'Represents the relationship between > the container exit code(s) and the specified values. > Containers completed with success (exit code 0) > are excluded from the requirement check. Possible > values are: - In: the requirement is satisfied > if at least one container exit code (might be > multiple if there are multiple containers not > restricted by the ''containerName'' field) is > in the set of specified values. - NotIn: the requirement > is satisfied if at least one container exit code > (might be multiple if there are multiple containers > not restricted by the ''containerName'' field) > is not in the set of specified values. Additional > values are considered to be added in the future. > Clients should react to an unknown operator by > assuming the requirement is not satisfied.' > type: string > values: > description: Specifies the set of values. Each returned > container exit code (might be multiple in case > of multiple containers) is checked against this > set of values with respect to the operator. The > list of values must be ordered and must not contain > duplicates. Value '0' cannot be used for the In > operator. At least one element is required. At > most 255 elements are allowed. > items: > format: int32 > type: integer > type: array > x-kubernetes-list-type: set > required: > - operator > - values > type: object > onPodConditions: > description: Represents the requirement on the pod conditions. > The requirement is represented as a list of pod condition > patterns. The requirement is satisfied if at least > one pattern matches an actual pod condition. At most > 20 elements are allowed. > items: > description: PodFailurePolicyOnPodConditionsPattern > describes a pattern for matching an actual pod condition > type. > properties: > status: > description: Specifies the required Pod condition > status. To match a pod condition it is required > that the specified status equals the pod condition > status. Defaults to True. > type: string > type: > description: Specifies the required Pod condition > type. To match a pod condition it is required > that specified type equals the pod condition > type. > type: string > required: > - status > - type > type: object > type: array > x-kubernetes-list-type: atomic > required: > - action > - onPodConditions > type: object > type: array > x-kubernetes-list-type: atomic > required: > - rules > type: object 175a301 > x-kubernetes-map-type: atomic 319a446 > x-kubernetes-map-type: atomic 432a560 > x-kubernetes-map-type: atomic 436a565 > x-kubernetes-map-type: atomic 526a656 > x-kubernetes-map-type: atomic 593a724 > x-kubernetes-map-type: atomic 708a840 > x-kubernetes-map-type: atomic 769a902 > x-kubernetes-map-type: atomic 885a1019 > x-kubernetes-map-type: atomic 952a1087 > x-kubernetes-map-type: atomic 1067a1203 > x-kubernetes-map-type: atomic 1128a1265 > x-kubernetes-map-type: atomic 1247a1385 > x-kubernetes-map-type: atomic 1266a1405 > x-kubernetes-map-type: atomic 1294a1434 > x-kubernetes-map-type: atomic 1316a1457 > x-kubernetes-map-type: atomic 1349a1491 > x-kubernetes-map-type: atomic 1368a1511 > x-kubernetes-map-type: atomic 1777,1783c1920,1926 < Exposing a port here gives the system additional < information about the network connections a container < uses, but is primarily informational. Not specifying < a port here DOES NOT prevent that port from being < exposed. Any port which is listening on the default < "0.0.0.0" address inside a container will be accessible < from the network. Cannot be updated. --- > Not specifying a port here DOES NOT prevent that > port from being exposed. Any port which is listening > on the default "0.0.0.0" address inside a container > will be accessible from the network. Modifying > this array with strategic merge patch may corrupt > the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. > Cannot be updated. 2572,2574c2715 < the pod's ephemeralcontainers subresource. This field < is beta-level and available on clusters that haven't < disabled the EphemeralContainers feature gate. --- > the pod's ephemeralcontainers subresource. 2585,2587c2726 < Pod. Ephemeral containers may not be removed or restarted. < \n This is a beta feature available on clusters that < haven't disabled the EphemeralContainers feature gate." --- > Pod. Ephemeral containers may not be removed or restarted." 2667a2807 > x-kubernetes-map-type: atomic 2686a2827 > x-kubernetes-map-type: atomic 2714a2856 > x-kubernetes-map-type: atomic 2736a2879 > x-kubernetes-map-type: atomic 2769a2913 > x-kubernetes-map-type: atomic 2788a2933 > x-kubernetes-map-type: atomic 3959a4105,4118 > hostUsers: > description: 'Use the host''s user namespace. Optional: > Default to true. If set to true or not present, the > pod will be run in the host user namespace, useful for > when the pod needs a feature only available to the host > user namespace, such as loading a kernel module with > CAP_SYS_MODULE. When set to false, a new userns is created > for the pod. Setting false is useful for mitigating > container breakout vulnerabilities even allowing users > to run their containers as root without actually having > root privileges on the host. This field is alpha-level > and is only honored by servers that enable the UserNamespacesSupport > feature.' > type: boolean 3981a4141 > x-kubernetes-map-type: atomic 4081a4242 > x-kubernetes-map-type: atomic 4100a4262 > x-kubernetes-map-type: atomic 4128a4291 > x-kubernetes-map-type: atomic 4150a4314 > x-kubernetes-map-type: atomic 4183a4348 > x-kubernetes-map-type: atomic 4202a4368 > x-kubernetes-map-type: atomic 4611,4617c4777,4783 < Exposing a port here gives the system additional < information about the network connections a container < uses, but is primarily informational. Not specifying < a port here DOES NOT prevent that port from being < exposed. Any port which is listening on the default < "0.0.0.0" address inside a container will be accessible < from the network. Cannot be updated. --- > Not specifying a port here DOES NOT prevent that > port from being exposed. Any port which is listening > on the default "0.0.0.0" address inside a container > will be accessible from the network. Modifying > this array with strategic merge patch may corrupt > the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. > Cannot be updated. 5368,5373c5534,5539 < must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions < - spec.securityContext.seccompProfile - spec.securityContext.fsGroup < - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls < - spec.shareProcessNamespace - spec.securityContext.runAsUser < - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups < - spec.containers[*].securityContext.seLinuxOptions --- > must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers > - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile > - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy > - spec.securityContext.sysctls - spec.shareProcessNamespace > - spec.securityContext.runAsUser - spec.securityContext.runAsGroup > - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions 5379,5380c5545 < - spec.containers[*].securityContext.runAsGroup This < is a beta field and requires the IdentifyPodOS feature" --- > - spec.containers[*].securityContext.runAsGroup" 5815a5981,5996 > x-kubernetes-map-type: atomic > matchLabelKeys: > description: MatchLabelKeys is a set of pod label > keys to select the pods over which spreading will > be calculated. The keys are used to lookup values > from the incoming pod labels, those key-value > labels are ANDed with labelSelector to select > the group of existing pods over which spreading > will be calculated for the incoming pod. Keys > that don't exist in the incoming pod labels will > be ignored. A null or empty list means only match > against labelSelector. > items: > type: string > type: array > x-kubernetes-list-type: atomic 5864,5868c6045,6073 < zones, it will violate MaxSkew. \n This is an < alpha field and requires enabling MinDomainsInPodTopologySpread < feature gate." < format: int32 < type: integer --- > zones, it will violate MaxSkew. \n This is a beta > field and requires the MinDomainsInPodTopologySpread > feature gate to be enabled (enabled by default)." > format: int32 > type: integer > nodeAffinityPolicy: > description: "NodeAffinityPolicy indicates how we > will treat Pod's nodeAffinity/nodeSelector when > calculating pod topology spread skew. Options > are: - Honor: only nodes matching nodeAffinity/nodeSelector > are included in the calculations. - Ignore: nodeAffinity/nodeSelector > are ignored. All nodes are included in the calculations. > \n If this value is nil, the behavior is equivalent > to the Honor policy. This is a alpha-level feature > enabled by the NodeInclusionPolicyInPodTopologySpread > feature flag." > type: string > nodeTaintsPolicy: > description: "NodeTaintsPolicy indicates how we > will treat node taints when calculating pod topology > spread skew. Options are: - Honor: nodes without > taints, along with tainted nodes for which the > incoming pod has a toleration, are included. - > Ignore: node taints are ignored. All nodes are > included. \n If this value is nil, the behavior > is equivalent to the Ignore policy. This is a > alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread > feature flag." > type: string 5877,5882c6082,6087 < as a domain whose nodes match the node selector. < e.g. If TopologyKey is "kubernetes.io/hostname", < each Node is a domain of that topology. And, if < TopologyKey is "topology.kubernetes.io/zone", < each zone is a domain of that topology. It's a < required field. --- > as a domain whose nodes meet the requirements > of nodeAffinityPolicy and nodeTaintsPolicy. e.g. > If TopologyKey is "kubernetes.io/hostname", each > Node is a domain of that topology. And, if TopologyKey > is "topology.kubernetes.io/zone", each zone is > a domain of that topology. It's a required field. 6060a6266 > x-kubernetes-map-type: atomic 6097a6304 > x-kubernetes-map-type: atomic 6179a6387 > x-kubernetes-map-type: atomic 6213a6422 > x-kubernetes-map-type: atomic 6273a6483 > x-kubernetes-map-type: atomic 6323a6534 > x-kubernetes-map-type: atomic 6460a6672 > x-kubernetes-map-type: atomic 6514a6727 > x-kubernetes-map-type: atomic 6613a6827 > x-kubernetes-map-type: atomic 6715a6930 > x-kubernetes-map-type: atomic 6912a7128 > x-kubernetes-map-type: atomic 7102a7319 > x-kubernetes-map-type: atomic 7134a7352 > x-kubernetes-map-type: atomic 7192a7411 > x-kubernetes-map-type: atomic 7268a7488 > x-kubernetes-map-type: atomic 7398a7619 > x-kubernetes-map-type: atomic 7443a7665 > x-kubernetes-map-type: atomic 7572a7795 > x-kubernetes-map-type: atomic 7704a7928,7929 > useCachedMetrics: > type: boolean ```

[github-actions[bot]]

Diff 2.9.3/manifests/keda.sh_scaledobjects.yaml \& 2.8.2/manifests/keda.sh_scaledobjects.yaml

```diff 5c5 < controller-gen.kubebuilder.io/version: v0.9.0 --- > controller-gen.kubebuilder.io/version: v0.10.0 9c9 < app.kubernetes.io/version: 2.8.2 --- > app.kubernetes.io/version: 2.9.3 123a124 > x-kubernetes-list-type: atomic 127c128 < MaxPolicySelect is used. --- > Max is used. 179a181 > x-kubernetes-list-type: atomic 183c185 < MaxPolicySelect is used. --- > Max is used. 278a281,282 > useCachedMetrics: > type: boolean ```

[github-actions[bot]]

Diff output of 2.9.3/manifests/keda.sh_kedacontrollers.yaml is too large - character limit 65536 exceeded for github comment

[github-actions[bot]]

Diff 2.9.3/manifests/keda.sh_clustertriggerauthentications.yaml \& 2.8.2/manifests/keda.sh_clustertriggerauthentications.yaml

```diff 5c5 < controller-gen.kubebuilder.io/version: v0.9.0 --- > controller-gen.kubebuilder.io/version: v0.10.0 9c9 < app.kubernetes.io/version: 2.8.2 --- > app.kubernetes.io/version: 2.9.3 101a102,113 > type: object > podIdentity: > description: AuthPodIdentity allows users to select the platform > native identity mechanism > properties: > identityId: > type: string > provider: > description: PodIdentityProvider contains the list of providers > type: string > required: > - provider ```

[github-actions[bot]]

Diff 2.9.3/manifests/keda.v2.9.3.clusterserviceversion.yaml \& 2.8.2/manifests/keda.v2.8.2.clusterserviceversion.yaml

```diff 114,115c114,115 < containerImage: ghcr.io/kedacore/keda-olm-operator:2.8.2 < createdAt: "2023-01-25T00:00:00.000Z" --- > containerImage: ghcr.io/kedacore/keda-olm-operator:2.9.3 > createdAt: "2023-01-31T00:00:00.000Z" 122c122 < name: keda.v2.8.2 --- > name: keda.v2.9.3 485a486 > - podmonitors 488a490 > - list 533c535 < image: ghcr.io/kedacore/keda-olm-operator:2.8.2 --- > image: ghcr.io/kedacore/keda-olm-operator:2.9.3 540a543,546 > ports: > - containerPort: 8080 > name: http > protocol: TCP 589c595 < minKubeVersion: 1.17.0 --- > minKubeVersion: 1.23.0 592c598 < replaces: keda.v2.8.1 --- > replaces: keda.v2.8.2 594c600 < version: 2.8.2 --- > version: 2.9.3 ```

[github-actions[bot]]

Diff 2.9.3/metadata/annotations.yaml \& 2.8.2/metadata/annotations.yaml

```diff 10c10 < operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v2 --- > operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 ```