NO-JIRA: Improves version handling, build robustness, discovery error handling, and bumps versions/references across the operator

Makefile

@@ -1,5 +1,5 @@
 # Project path.
-PROJECT_ROOT := $(shell git rev-parse --show-toplevel)
+PROJECT_ROOT := $(shell git rev-parse --show-toplevel 2>/dev/null || pwd)
 
 # Warn when an undefined variable is referenced, helping catch typos and missing definitions.
 MAKEFLAGS += --warn-undefined-variables
@@ -92,9 +92,24 @@ endif
 # tools. (i.e. podman)
 CONTAINER_TOOL ?= podman
 
-COMMIT ?= $(shell git rev-parse HEAD)
-SHORTCOMMIT ?= $(shell git rev-parse --short HEAD)
-GOBUILD_VERSION_ARGS = -ldflags "-X $(PACKAGE)/pkg/version.SHORTCOMMIT=$(SHORTCOMMIT) -X $(PACKAGE)/pkg/version.COMMIT=$(COMMIT)"
+# GO_PACKAGE is the Go module path (used for ldflags to embed version info).
+GO_PACKAGE ?= $(shell go list -m)
+
+# Version information for ldflags injection.
+SOURCE_GIT_COMMIT ?= $(shell git rev-parse HEAD 2>/dev/null)
+BUILD_DATE ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
+
+# Extract major/minor from IMG_VERSION (e.g., 1.1.0 -> major=1, minor=1)
+IMG_VERSION_MAJOR = $(word 1,$(subst ., ,$(IMG_VERSION)))
+IMG_VERSION_MINOR = $(word 2,$(subst ., ,$(IMG_VERSION)))
+
+GOBUILD_VERSION_ARGS = -ldflags " \
+	-X $(GO_PACKAGE)/pkg/version.commitFromGit=$(SOURCE_GIT_COMMIT) \
+	-X $(GO_PACKAGE)/pkg/version.versionFromGit=v$(IMG_VERSION) \
+	-X $(GO_PACKAGE)/pkg/version.majorFromGit=$(IMG_VERSION_MAJOR) \
+	-X $(GO_PACKAGE)/pkg/version.minorFromGit=$(IMG_VERSION_MINOR) \
+	-X $(GO_PACKAGE)/pkg/version.buildDate=$(BUILD_DATE) \
+	"
 
 # Location to install dependencies to.
 LOCALBIN ?= $(PROJECT_ROOT)/bin

bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
     external-secrets.io/component: webhook
 spec:

bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: bitwarden-sdk-server
     app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
 spec:
   podSelector:

bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
 spec:
   podSelector:

bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
 spec:
   podSelector:

bindata/external-secrets/networkpolicy_allow-dns.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
   name: allow-to-dns
 spec:

bindata/external-secrets/networkpolicy_deny-all.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
 spec:
   podSelector: {}

cmd/external-secrets-operator/main.go

@@ -45,6 +45,7 @@ import (
 	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
 	escontroller "github.com/openshift/external-secrets-operator/pkg/controller/external_secrets"
 	"github.com/openshift/external-secrets-operator/pkg/operator"
+	"github.com/openshift/external-secrets-operator/pkg/version"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -142,6 +143,8 @@ func main() {
 	logConfig := textlogger.NewConfig(textlogger.Verbosity(logLevel))
 	ctrl.SetLogger(textlogger.NewLogger(logConfig))
 
+	setupLog.Info("starting external-secrets-operator", "version", version.String())
+
 	if !enableHTTP2 {
 		// if the enable-http2 flag is false (the default), http/2 should be disabled
 		// due to its vulnerabilities.
@@ -159,15 +162,15 @@ func main() {
 
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
-	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/server
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/metrics/server
 	// - https://book.kubebuilder.io/reference/metrics.html
 	metricsServerOptions := metricsserver.Options{
 		BindAddress: metricsAddr,
 
 		// FilterProvider is used to protect the metrics endpoint with authn/authz.
 		// These configurations ensure that only authorized users and service accounts
 		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/metrics/filters#WithAuthenticationAndAuthorization
 		FilterProvider: filters.WithAuthenticationAndAuthorization,
 	}
 

hack/go-fips.sh

@@ -6,7 +6,13 @@ set -o errexit
 
 GOFLAGS="${GOFLAGS:-}"
 
-if GOEXPERIMENT="strictfipsruntime" go build ./tools > /dev/null 2>&1 ; then
+# Test if the go compiler supports GOEXPERIMENT=strictfipsruntime by building a minimal program.
+# Using ./tools doesn't work as it contains only tool dependency imports that aren't buildable.
+fips_test_file=$(mktemp --suffix=.go)
+trap 'rm -f ${fips_test_file}' EXIT
+echo 'package main; func main(){}' > "${fips_test_file}"
+
+if GOEXPERIMENT="strictfipsruntime" go build -o /dev/null "${fips_test_file}" > /dev/null 2>&1 ; then
     echo "INFO: building with FIPS support"
 
     export GOEXPERIMENT="strictfipsruntime"

hack/govulncheck.sh

@@ -27,7 +27,8 @@ set -o errexit
 # - https://pkg.go.dev/vuln/GO-2026-4340 - Handshake messages may be processed at the incorrect encryption level in crypto/tls
 # - https://pkg.go.dev/vuln/GO-2025-4175 - Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
 # - https://pkg.go.dev/vuln/GO-2025-4155 - Excessive resource consumption when printing error string for host certificate validation in crypto/x509
-KNOWN_VULNS_PATTERN="GO-2025-3547|GO-2025-3521|GO-2025-4240|GO-2026-4341|GO-2026-4340|GO-2025-4175|GO-2025-4155"
+# - https://pkg.go.dev/vuln/GO-2026-4337 - During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed.
+KNOWN_VULNS_PATTERN="GO-2025-3547|GO-2025-3521|GO-2025-4240|GO-2026-4341|GO-2026-4340|GO-2025-4175|GO-2025-4155|GO-2026-4337"
 
 GOVULNCHECK_BIN="${1:-}"
 OUTPUT_DIR="${2:-}"

images/ci/operand.Dockerfile

@@ -1,6 +1,6 @@
 FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.21 AS builder
 
-ARG RELEASE_BRANCH=v0.19.0
+ARG RELEASE_BRANCH=v0.20.4
 ARG GO_BUILD_TAGS=strictfipsruntime,openssl
 ARG SRC_DIR=/go/src/github.com/openshift/external-secrets
 

pkg/controller/external_secrets/controller.go

@@ -317,9 +317,14 @@ func isCRDInstalled(config *rest.Config, name, groupVersion string) (bool, error
 	}
 
 	resources, err := discoveryClient.ServerPreferredResources()
-	if err != nil {
+	// ServerPreferredResources() may return a partial result along with an error (e.g., when some API groups are
+	// unavailable). Currently, any error causes an immediate return, potentially missing CRDs that were successfully discovered.
+	if err != nil && len(resources) == 0 {
 		return false, fmt.Errorf("failed to discover resources list: %w", err)
 	}
+	if err != nil {
+		ctrl.Log.V(1).WithName("crd-discovery").Info("ServerPreferredResources returned partial results", "error", err)
+	}
 
 	for _, resource := range resources {
 		if resource.GroupVersion == groupVersion {

pkg/version/version.go

@@ -0,0 +1,55 @@
+// Package version provides build-time version information for the operator.
+package version
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/version"
+)
+
+// These variables are populated at build time via ldflags.
+// Example: go build -ldflags "-X github.com/openshift/external-secrets-operator/pkg/version.commitFromGit=$(git rev-parse HEAD)"
+var (
+	// commitFromGit is the source version that generated this build.
+	// Set via -ldflags during build.
+	commitFromGit string
+
+	// versionFromGit is the version tag that generated this build.
+	// Set via -ldflags during build.
+	versionFromGit string
+
+	// majorFromGit is the major version component.
+	// Set via -ldflags during build.
+	majorFromGit string
+
+	// minorFromGit is the minor version component.
+	// Set via -ldflags during build.
+	minorFromGit string
+
+	// buildDate is the build timestamp in ISO8601 format.
+	// Set via -ldflags during build using: $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+	buildDate string
+)
+
+// Get returns the overall codebase version information.
+// It's used for detecting what code a binary was built from.
+func Get() version.Info {
+	return version.Info{
+		Major:      majorFromGit,
+		Minor:      minorFromGit,
+		GitCommit:  commitFromGit,
+		GitVersion: versionFromGit,
+		BuildDate:  buildDate,
+	}
+}
+
+// String returns a human-readable version string.
+// Format: "vX.Y.Z (commit: abc1234, built: 2024-01-01T00:00:00Z)"
+func String() string {
+	v := Get()
+	commit := v.GitCommit
+	if len(commit) > 7 {
+		commit = commit[:7]
+	}
+	return fmt.Sprintf("%s (commit: %s, built: %s)", v.GitVersion, commit, v.BuildDate)
+}