Update third party dependencies

Signed-off-by: Sascha Grunert <[email protected]>

Author: saschagrunert

.github/workflows/build.yml

@@ -8,8 +8,8 @@ on:
   pull_request:
 env:
   GO_VERSION: '1.23'
-  NIX_VERSION: '2.18.1'
-  BOM_VERSION: v0.5.1
+  NIX_VERSION: '2.25.0'
+  BOM_VERSION: v0.6.0
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/olm_tests.yaml

@@ -25,8 +25,7 @@ jobs:
       run: |
         mkdir -p ${GITHUB_WORKSPACE}/build
         echo "${GITHUB_WORKSPACE}/build" >> ${GITHUB_PATH}
-        make operator-sdk
-        make opm
+        make operator-sdk opm
 
     - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:

Dockerfile.build-image

@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# hash below relates to tag: bookworm-v1.0.3
-FROM registry.k8s.io/build-image/debian-base@sha256:b30608f5a81f8ba99b287322d0bfb77ec506adcce396147aa4a59699d69be3e0
+# hash below relates to tag: bookworm-v1.0.4
+FROM registry.k8s.io/build-image/debian-base@sha256:0a17678966f63e82e9c5e246d9e654836a33e13650a698adefede61bb5ca099e
 WORKDIR /work
 
 RUN apt-get update && \
@@ -24,7 +24,7 @@ RUN apt-get update && \
 
 ENV USER=root
 
-ARG NIX_VERSION=2.18.1
+ARG NIX_VERSION=2.25.0
 RUN wget https://nixos.org/releases/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-x86_64-linux.tar.xz && \
   tar xf nix-${NIX_VERSION}-x86_64-linux.tar.xz && \
   groupadd -r -g 30000 nixbld && \

Makefile

@@ -16,8 +16,8 @@ GO ?= go
 
 GOLANGCI_LINT_VERSION = v1.62.0
 REPO_INFRA_VERSION = v0.2.5
-KUSTOMIZE_VERSION = 5.2.1
-OPERATOR_SDK_VERSION ?= v1.25.0
+KUSTOMIZE_VERSION = 5.5.0
+OPERATOR_SDK_VERSION ?= v1.37.0
 ZEITGEIST_VERSION = v0.5.4
 MDTOC_VERSION = v1.4.0
 CI_IMAGE ?= golang:1.23
@@ -581,7 +581,7 @@ bundle-push: ## Push the bundle image.
 
 .PHONY: verify-bundle
 verify-bundle: bundle ## Verify the bundle doesn't alter the state of the tree
-	hack/tree-status
+	git diff -I'^    createdAt: '
 
 .PHONY: opm
 OPM = $(BUILD_DIR)/opm

PROJECT

@@ -1,6 +1,6 @@
 domain: security-profiles-operator.x-k8s.io
 layout:
-- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}

bundle.Dockerfile

@@ -7,9 +7,9 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=security-profiles-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=stable
 LABEL operators.operatorframework.io.bundle.channel.default.v1=stable
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.25.0
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.37.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
-LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
+LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4
 
 # Labels for testing.
 LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1

bundle/manifests/security-profiles-operator.clusterserviceversion.yaml

@@ -242,13 +242,14 @@ metadata:
     capabilities: Basic Install
     categories: Security
     containerImage: registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4
+    createdAt: "2024-11-13T09:48:41Z"
     olm.skipRange: '>=0.4.1 <0.8.5-dev'
     operatorframework.io/cluster-monitoring: "true"
     operatorframework.io/suggested-namespace: security-profiles-operator
     operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine", "OpenShift
       Container Platform", "OpenShift Platform Plus"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.25.0
-    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
+    operators.operatorframework.io/builder: operator-sdk-v1.37.0
+    operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
   name: security-profiles-operator.v0.8.5-dev
   namespace: placeholder
 spec:
@@ -669,7 +670,7 @@ spec:
                 - manager
                 env:
                 - name: RELATED_IMAGE_RBAC_PROXY
-                  value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+                  value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
                 - name: RELATED_IMAGE_SELINUXD
                   value: quay.io/security-profiles-operator/selinuxd
                 - name: RELATED_IMAGE_SELINUXD_EL8
@@ -795,7 +796,7 @@ spec:
     name: Kubernetes SIGs
     url: https://github.com/kubernetes-sigs
   relatedImages:
-  - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+  - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
     name: rbac-proxy
   - image: quay.io/security-profiles-operator/selinuxd
     name: selinuxd

bundle/metadata/annotations.yaml

@@ -6,9 +6,9 @@ annotations:
   operators.operatorframework.io.bundle.package.v1: security-profiles-operator
   operators.operatorframework.io.bundle.channels.v1: stable
   operators.operatorframework.io.bundle.channel.default.v1: stable
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.25.0
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.37.0
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
-  operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
+  operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4
 
   # Annotations for testing.
   operators.operatorframework.io.test.mediatype.v1: scorecard+v1

cloudbuild.yaml

@@ -5,7 +5,7 @@ options:
   substitution_option: ALLOW_LOOSE
   machineType: E2_HIGHCPU_8
 steps:
-  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20231105-52c482caa0
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241111-71c32dbdcc
     entrypoint: bash
     env:
       - TAG=$_GIT_TAG

dependencies.yaml

@@ -24,19 +24,19 @@ dependencies:
       match: REPO_INFRA_VERSION
 
   - name: kustomize
-    version: 5.2.1
+    version: 5.5.0
     refPaths:
     - path: Makefile
       match: KUSTOMIZE_VERSION
 
   - name: operator-sdk
-    version: v1.25.0
+    version: v1.37.0
     refPaths:
     - path: Makefile
       match: OPERATOR_SDK_VERSION
 
   - name: olm
-    version: v0.18.2
+    version: v0.30.0
     refPaths:
     - path: hack/ci/e2e-olm.sh
       match: OLM_VERSION
@@ -96,27 +96,27 @@ dependencies:
       match: config.vm.box
 
   - name: debian-base-digest
-    version: sha256:b30608f5a81f8ba99b287322d0bfb77ec506adcce396147aa4a59699d69be3e0
+    version: sha256:0a17678966f63e82e9c5e246d9e654836a33e13650a698adefede61bb5ca099e
     refPaths:
     - path: Dockerfile.build-image
       match: registry.k8s.io/build-image/debian-base
 
   - name: debian-base
-    version: bookworm-v1.0.3
+    version: bookworm-v1.0.4
     refPaths:
     - path: Dockerfile.build-image
       match: tag
 
   - name: nix
-    version: 2.18.1
+    version: 2.25.0
     refPaths:
     - path: Dockerfile.build-image
       match: NIX_VERSION
     - path: .github/workflows/build.yml
       match: NIX_VERSION
 
   - name: kube-rbac-proxy
-    version: 0.15.0
+    version: 0.16.0
     refPaths:
     - path: internal/pkg/manager/spod/bindata/spod.go
       match: gcr.io/kubebuilder/kube-rbac-proxy
@@ -138,13 +138,13 @@ dependencies:
       match: gcr.io/kubebuilder/kube-rbac-proxy
 
   - name: gcb-docker-gcloud
-    version: v20231105-52c482caa0
+    version: v20241111-71c32dbdcc
     refPaths:
     - path: cloudbuild.yaml
       match: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud
 
   - name: libbpf
-    version: 1.4.0
+    version: 1.5.0
     refPaths:
     - path: hack/install-libbpf.sh
       match: VERSION
@@ -176,15 +176,15 @@ dependencies:
       match: baseProfileName
 
   - name: cosign
-    version: v2.2.1
+    version: v2.4.1
     refPaths:
     - path: hack/ci/Vagrantfile-ubuntu
       match: COSIGN_VERSION
     - path: hack/ci/Vagrantfile-debian
       match: COSIGN_VERSION
 
   - name: bom
-    version: v0.5.1
+    version: v0.6.0
     refPaths:
     - path: .github/workflows/build.yml
       match: BOM_VERSION
@@ -243,7 +243,7 @@ dependencies:
         match: MDTOC_VERSION
 
   - name: yq
-    version: 4.35.2
+    version: 4.44.3
     refPaths:
       - path: hack/ci/install-yq.sh
         match: YQ_VERSION

deploy/base/clusterserviceversion.yaml

@@ -7,7 +7,7 @@ metadata:
     capabilities: Basic Install
     categories: Security
     containerImage: registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4
-    olm.skipRange: '>=0.4.1 <0.4.2-dev'
+    olm.skipRange: '>=0.4.1 <0.8.5-dev'
     operatorframework.io/suggested-namespace: security-profiles-operator
     operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine", "OpenShift Container Platform", "OpenShift Platform Plus"]'
     operatorframework.io/cluster-monitoring: "true"

deploy/helm/templates/deployment.yaml

@@ -25,7 +25,7 @@ spec:
         - manager
         env:
         - name: RELATED_IMAGE_RBAC_PROXY
-          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
         - name: RELATED_IMAGE_SELINUXD
           value: {{ .Values.selinuxdImage.default.registry }}/{{ .Values.selinuxdImage.default.repository }}:{{ .Values.selinuxdImage.default.tag }}
         - name: RELATED_IMAGE_SELINUXD_EL8

deploy/kustomize-deployment/manager_deployment.yaml

@@ -36,7 +36,7 @@ spec:
               cpu: 500m
           env:
             - name: RELATED_IMAGE_RBAC_PROXY
-              value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+              value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
             - name: RELATED_IMAGE_SELINUXD
               value: quay.io/security-profiles-operator/selinuxd
             - name: RELATED_IMAGE_SELINUXD_EL8

deploy/namespace-operator.yaml

@@ -3094,7 +3094,7 @@ spec:
         - name: RESTRICT_TO_NAMESPACE
           value: NS_REPLACE
         - name: RELATED_IMAGE_RBAC_PROXY
-          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
         - name: RELATED_IMAGE_SELINUXD
           value: quay.io/security-profiles-operator/selinuxd
         - name: RELATED_IMAGE_SELINUXD_EL8

deploy/openshift-dev.yaml

@@ -3085,7 +3085,7 @@ spec:
         - manager
         env:
         - name: RELATED_IMAGE_RBAC_PROXY
-          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
         - name: RELATED_IMAGE_SELINUXD
           value: quay.io/security-profiles-operator/selinuxd
         - name: RELATED_IMAGE_SELINUXD_EL8

deploy/openshift-downstream.yaml

@@ -3105,7 +3105,7 @@ spec:
         - manager
         env:
         - name: RELATED_IMAGE_RBAC_PROXY
-          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
         - name: RELATED_IMAGE_SELINUXD
           value: quay.io/security-profiles-operator/selinuxd
         - name: RELATED_IMAGE_SELINUXD_EL8

deploy/operator.yaml

@@ -3092,7 +3092,7 @@ spec:
         - manager
         env:
         - name: RELATED_IMAGE_RBAC_PROXY
-          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
         - name: RELATED_IMAGE_SELINUXD
           value: quay.io/security-profiles-operator/selinuxd
         - name: RELATED_IMAGE_SELINUXD_EL8

deploy/webhook-operator.yaml

@@ -3092,7 +3092,7 @@ spec:
         - --webhook=false
         env:
         - name: RELATED_IMAGE_RBAC_PROXY
-          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          value: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
         - name: RELATED_IMAGE_SELINUXD
           value: quay.io/security-profiles-operator/selinuxd
         - name: RELATED_IMAGE_SELINUXD_EL8

hack/ci/Vagrantfile-debian

@@ -55,7 +55,7 @@ Vagrant.configure("2") do |config|
       /vagrant/hack/install-libbpf.sh
 
       # Install cosign (required by e2e-baseprofile test)
-      COSIGN_VERSION=v2.2.1
+      COSIGN_VERSION=v2.4.1
       COSIGN_BINARY=/usr/bin/cosign
       curl -sSfL --retry 5 --retry-delay 3 "https://github.com/sigstore/cosign/releases/download/$COSIGN_VERSION/cosign-linux-amd64" -o "$COSIGN_BINARY"
       chmod +x "$COSIGN_BINARY"

hack/ci/Vagrantfile-ubuntu

@@ -57,7 +57,7 @@ Vagrant.configure("2") do |config|
       podman load -i /vagrant/image.tar
 
       # Baseprofile recording requires cosign
-      COSIGN_VERSION=v2.2.1
+      COSIGN_VERSION=v2.4.1
       COSIGN_BINARY=/usr/bin/cosign
       curl -sSfL --retry 5 --retry-delay 3 "https://github.com/sigstore/cosign/releases/download/$COSIGN_VERSION/cosign-linux-amd64" -o "$COSIGN_BINARY"
       chmod +x "$COSIGN_BINARY"

hack/ci/e2e-olm.sh

@@ -15,7 +15,7 @@
 
 set -euox pipefail
 
-OLM_VERSION=v0.18.2
+OLM_VERSION=v0.30.0
 
 REPO=localhost:5000
 IMG=${REPO}/security-profiles-operator:${GITHUB_SHA}

hack/ci/install-yq.sh

@@ -17,7 +17,7 @@ set -euo pipefail
 
 install_yq() {
   echo "Installing yq"
-  YQ_VERSION=4.35.2
+  YQ_VERSION=4.44.3
   curl_retry -o /usr/bin/yq \
     https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64
   sudo chmod +x /usr/bin/yq

hack/install-libbpf.sh

@@ -15,7 +15,7 @@
 
 set -euo pipefail
 
-VERSION=1.4.0
+VERSION=1.5.0
 curl -sSfL --retry 5 --retry-delay 3 \
     "https://github.com/libbpf/libbpf/archive/refs/tags/v$VERSION.tar.gz" -o- |
     tar xfz -

internal/pkg/manager/spod/bindata/spod.go

@@ -55,7 +55,7 @@ const (
 	SelinuxdPrivateDir                         = "/var/run/selinuxd"
 	SelinuxdSocketPath                         = SelinuxdPrivateDir + "/selinuxd.sock"
 	SelinuxdDBPath                             = SelinuxdPrivateDir + "/selinuxd.db"
-	MetricsImage                               = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0"
+	MetricsImage                               = "gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0"
 	sysKernelDebugPath                         = "/sys/kernel/debug"
 	sysKernelSecurityPath                      = "/sys/kernel/security"
 	InitContainerIDNonRootenabler              = 0