NO-JIRA: Improves version handling, build robustness, discovery error handling, and bumps versions/references across the operator

[bharath-b-rh]

The PR has following changes:

• Centralizes build-time version info (git commit, version tag, major/minor, build date) via ldflags and logs the details during operator startup
• PROJECT_ROOT in Makefile fallbacks current dir when not a git repo, like the git modules in release repository.
• Improved CRD discovery error handling - considers ServerPreferredResources() as failed when the error occurs and no resources were returned.
• fips check depends on a sample go program instead of tools dir.
• Version in NetworkPolicy manifests in bindata were updated to match operator version, since operator owns those and not operand.
• Adds GO-2026-4337 to excluded list as the go version having the fix is not available in downstream yet.

[openshift-ci-robot]

@bharath-b-rh: This pull request explicitly references no jira issue.

Details

In response to this:

The PR has following changes:

• Centralizes build-time version info (git commit, version tag, major/minor, build date) via ldflags and logs the details during operator startup
• PROJECT_ROOT in Makefile fallbacks current dir when not a git repo, like the git modules in release repository.
• Improved CRD discovery error handling - considers ServerPreferredResources() as failed when the error occurs and no resources were returned.
• fips check depends on a sample go program instead of tools dir.
• Version in NetworkPolicy manifests in bindata were updated to match operator version, since operator owns those and not operand.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

Walkthrough

Makefile: switch to granular ldflags (GO_PACKAGE, SOURCE_GIT_COMMIT, BUILD_DATE, IMG_VERSION_MAJOR/MINOR) and compose GOBUILD_VERSION_ARGS. Add pkg/version for build-time version info and log it at operator startup. Update embedded manifest version labels, tolerate partial CRD discovery errors, improve FIPS detection script, update CI operand release arg, and add a known vuln exclusion.

Changes

Cohort / File(s)	Summary
Build system & version package Makefile, pkg/version/version.go	Makefile adds GO_PACKAGE, SOURCE_GIT_COMMIT, BUILD_DATE, IMG_VERSION_MAJOR, IMG_VERSION_MINOR and updates GOBUILD_VERSION_ARGS to set ldflags: commitFromGit, versionFromGit, majorFromGit, minorFromGit, buildDate. Added pkg/version with Get() and String() using those ldflags. Removed COMMIT/SHORTCOMMIT usage.
Operator startup cmd/external-secrets-operator/main.go	Import and log version from new version package at startup.
Embedded manifests / bindata bindata/external-secrets/*.yaml, pkg/operator/assets/bindata.go	Bumped metadata.labels.app.kubernetes.io/version values from v0.19.0 to v1.1.0 across multiple embedded YAML assets and corresponding generated bindata.
Controller CRD discovery pkg/controller/external_secrets/controller.go	isCRDInstalled now continues when ServerPreferredResources() returns resources along with an error; only returns error if resources are empty. Adds logging for partial results.
FIPS detection script hack/go-fips.sh	Replaced direct build check with creating a minimal Go file and attempting compilation with GOEXPERIMENT="strictfipsruntime"; adds cleanup trap and conditional enabling of GOFLAGS/tags.
Vuln filtering script hack/govulncheck.sh	Extended KNOWN_VULNS_PATTERN to include GO-2026-4337 (adds comment).
CI image build images/ci/operand.Dockerfile	Updated RELEASE_BRANCH ARG from v0.19.0 to v0.20.4.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bharath-b-rh]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (2)

hack/go-fips.sh (1)

11-12: Use single quotes in trap to defer variable expansion.

The double quotes cause ${fips_test_file} to expand when the trap is set rather than when it fires. While functionally equivalent here since the variable doesn't change, single quotes are the correct idiom and prevent subtle bugs during future refactoring.

🔧 Suggested fix

 fips_test_file=$(mktemp --suffix=.go)
-trap "rm -f ${fips_test_file}" EXIT
+trap 'rm -f ${fips_test_file}' EXIT

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/go-fips.sh` around lines 11 - 12, The trap currently uses double quotes
causing ${fips_test_file} to be expanded immediately; change the trap to use
single quotes so the variable is expanded when the trap fires (update the trap
that references fips_test_file to use single-quoted string to defer expansion).

pkg/controller/external_secrets/controller.go (1)

319-324: Consider logging partial discovery errors for observability.

When ServerPreferredResources() returns a partial result with an error, the error is silently discarded. Logging it at a debug/info level would help diagnose intermittent API group availability issues without changing the functional behavior.

🔧 Suggested improvement

 	resources, err := discoveryClient.ServerPreferredResources()
 	// ServerPreferredResources() may return a partial result along with an error (e.g., when some API groups are
 	// unavailable). Currently, any error causes an immediate return, potentially missing CRDs that were successfully discovered.
 	if err != nil && len(resources) == 0 {
 		return false, fmt.Errorf("failed to discover resources list: %w", err)
 	}
+	if err != nil {
+		ctrl.Log.V(1).WithName("crd-discovery").Info("partial discovery result, some API groups may be unavailable", "error", err)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/external_secrets/controller.go` around lines 319 - 324, When
calling discoveryClient.ServerPreferredResources(), handle the case where err !=
nil && len(resources) > 0 by emitting a debug/info log that includes the err
value and context that the discovery result is partial (do not change the
current return behavior). Add a log statement immediately after the existing
call (check the variables resources and err and the call to
ServerPreferredResources()) using the repository's logger (or klog if no logger
exists) to record the partial discovery error for observability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@hack/go-fips.sh`:
- Around line 11-12: The trap currently uses double quotes causing
${fips_test_file} to be expanded immediately; change the trap to use single
quotes so the variable is expanded when the trap fires (update the trap that
references fips_test_file to use single-quoted string to defer expansion).

In `@pkg/controller/external_secrets/controller.go`:
- Around line 319-324: When calling discoveryClient.ServerPreferredResources(),
handle the case where err != nil && len(resources) > 0 by emitting a debug/info
log that includes the err value and context that the discovery result is partial
(do not change the current return behavior). Add a log statement immediately
after the existing call (check the variables resources and err and the call to
ServerPreferredResources()) using the repository's logger (or klog if no logger
exists) to record the partial discovery error for observability.

[coderabbitai]

🧹 Nitpick comments (2)

pkg/controller/external_secrets/controller.go (1)

319-324: Consider logging the error when partial results are returned.

The logic correctly tolerates partial results from ServerPreferredResources(), but when err != nil and resources is non-empty, the error is silently discarded. Logging it at a debug/info level would aid troubleshooting API group availability issues.

Proposed fix

 	resources, err := discoveryClient.ServerPreferredResources()
 	// ServerPreferredResources() may return a partial result along with an error (e.g., when some API groups are
 	// unavailable). Currently, any error causes an immediate return, potentially missing CRDs that were successfully discovered.
 	if err != nil && len(resources) == 0 {
 		return false, fmt.Errorf("failed to discover resources list: %w", err)
 	}
+	if err != nil {
+		ctrl.Log.V(1).WithName("crd-discovery").Info("ServerPreferredResources returned partial results", "error", err)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/external_secrets/controller.go` around lines 319 - 324, When
ServerPreferredResources() returns both a non-nil err and a non-empty resources
slice, the error is currently discarded; modify the logic around
discoveryClient.ServerPreferredResources() so that when err != nil &&
len(resources) > 0 you log the error at debug/info level (using the package's
existing logger or klog) while still proceeding to use the partial resources;
keep the existing behavior of returning an error only when resources is empty
(err != nil && len(resources) == 0). Ensure you reference
ServerPreferredResources(), the variables resources and err, and place the log
right after the call before the conditional return.

hack/go-fips.sh (1)

11-12: Use single quotes in trap to defer variable expansion (shellcheck SC2064).

The variable expands when the trap is set rather than when triggered. While functionally correct here since fips_test_file is already assigned, single quotes are more robust if the script is refactored.

Proposed fix

 fips_test_file=$(mktemp --suffix=.go)
-trap "rm -f ${fips_test_file}" EXIT
+trap 'rm -f '"'${fips_test_file}'"'' EXIT

Or more simply, since the variable is already set:

 fips_test_file=$(mktemp --suffix=.go)
-trap "rm -f ${fips_test_file}" EXIT
+trap "rm -f '${fips_test_file}'" EXIT

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/go-fips.sh` around lines 11 - 12, The trap currently uses double quotes
so ${fips_test_file} is expanded when the trap is defined; change the trap
invocation to use single quotes (i.e., replace the trap "rm -f
${fips_test_file}" EXIT with a single-quoted form) so the fips_test_file
variable is expanded only when the trap runs, making the cleanup robust to
refactors (target the trap line that references fips_test_file created by
mktemp).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@hack/go-fips.sh`:
- Around line 11-12: The trap currently uses double quotes so ${fips_test_file}
is expanded when the trap is defined; change the trap invocation to use single
quotes (i.e., replace the trap "rm -f ${fips_test_file}" EXIT with a
single-quoted form) so the fips_test_file variable is expanded only when the
trap runs, making the cleanup robust to refactors (target the trap line that
references fips_test_file created by mktemp).

In `@pkg/controller/external_secrets/controller.go`:
- Around line 319-324: When ServerPreferredResources() returns both a non-nil
err and a non-empty resources slice, the error is currently discarded; modify
the logic around discoveryClient.ServerPreferredResources() so that when err !=
nil && len(resources) > 0 you log the error at debug/info level (using the
package's existing logger or klog) while still proceeding to use the partial
resources; keep the existing behavior of returning an error only when resources
is empty (err != nil && len(resources) == 0). Ensure you reference
ServerPreferredResources(), the variables resources and err, and place the log
right after the call before the conditional return.

[openshift-ci]

@bharath-b-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.