Merge remote-tracking branch 'upstream/main' into layered-structure

.github/actions/deploy-lifecycle-manager-e2e/action.yml

@@ -80,9 +80,28 @@ runs:
         cat requeue-interval-patch.yaml
         kustomize edit add patch --path requeue-interval-patch.yaml --kind Deployment
         popd
+    - name: Patch KLM deployment for watcher zero downtime
+      if: ${{matrix.e2e-test == 'watcher-zero-downtime'}}
+      working-directory: lifecycle-manager
+      shell: bash
+      run: |
+        pushd config/watcher_local_test
+        echo \
+        "- op: replace
+          path: /spec/template/spec/containers/0/args/16
+          value: --kyma-requeue-success-interval=10s
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --istio-gateway-cert-switch-before-expiration-time=58m30s
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --istio-gateway-secret-requeue-success-interval=6s" >> requeue-interval-patch.yaml
+        cat requeue-interval-patch.yaml
+        kustomize edit add patch --path requeue-interval-patch.yaml --kind Deployment
+        popd
     - name: Patch CA certificate renewBefore
-      if: ${{matrix.e2e-test == 'ca-certificate-rotation' ||
-        matrix.e2e-test == 'istio-gateway-secret-rotation'}}
+      if: ${{matrix.e2e-test == 'legacy-istio-gateway-secret-rotation' ||
+        matrix.e2e-test == 'watcher-zero-downtime'}}
       working-directory: lifecycle-manager
       shell: bash
       run: |
@@ -97,6 +116,19 @@ runs:
         cat certificate_renewal.yaml
         kustomize edit add patch --path certificate_renewal.yaml --kind Certificate --group cert-manager.io --version v1 --name watcher-serving
         popd
+    - name: Use legacy istio gateway secret rotation strategy
+      if: ${{matrix.e2e-test == 'legacy-istio-gateway-secret-rotation'}}
+      working-directory: lifecycle-manager
+      shell: bash
+      run: |
+        pushd config/watcher_local_test
+        echo \
+        "- op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --legacy-strategy-for-istio-gateway-secret=true" >> legacy-secret-rotation.yaml
+        cat legacy-secret-rotation.yaml
+        kustomize edit add patch --path legacy-secret-rotation.yaml --kind Deployment
+        popd
     - name: Create and use maintenance window policy
       if: ${{matrix.e2e-test == 'maintenance-windows' ||
              matrix.e2e-test == 'maintenance-windows-initial-installation' ||
@@ -141,23 +173,13 @@ runs:
         
         echo "Maintenance window policy:"
         cat ./maintenance_windows/policy.json
-        
-        cd watcher_local_test
-        kustomize edit add component ../maintenance_windows
     - name: Deploy LM local testing kustomize
       uses: ./lifecycle-manager/.github/actions/deploy-lifecycle-manager
       with:
         klm_version_tag: ${{ inputs.klm_version_tag }}
         klm_image_repo: ${{ inputs.klm_image_repo }}
     - name: Expose Metrics Endpoint
       working-directory: lifecycle-manager
-      if: ${{ matrix.e2e-test == 'kyma-metrics' ||
-        matrix.e2e-test == 'module-status-decoupling-with-statefulset' ||
-        matrix.e2e-test == 'module-status-decoupling-with-deployment' ||
-        matrix.e2e-test == 'purge-metrics' ||
-        matrix.e2e-test == 'self-signed-certificate-rotation' ||
-        matrix.e2e-test == 'mandatory-module-metrics' ||
-        matrix.e2e-test == 'mandatory-module-metrics-with-old-naming-pattern'}}
       shell: bash
       run: |
         kubectl patch svc klm-controller-manager-metrics -p '{"spec": {"type": "LoadBalancer"}}' -n kcp-system

.github/actions/deploy-template-operator-with-modulereleasemeta/action.yml

@@ -21,7 +21,8 @@ runs:
     - name: Create and apply Template Operator ModuleTemplate from the latest release
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
-        matrix.e2e-test != 'mandatory-module-metrics'
+        matrix.e2e-test != 'mandatory-module-metrics' &&
+        matrix.e2e-test != 'watcher-zero-downtime'
         }}
       shell: bash
       run: |
@@ -32,7 +33,8 @@ runs:
     - name: Create and apply Template Operator ModuleTemplate with ModuleDeploymentNameInOlderVersion
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
-        matrix.e2e-test != 'mandatory-module-metrics'
+        matrix.e2e-test != 'mandatory-module-metrics' &&
+        matrix.e2e-test != 'watcher-zero-downtime'
         }}
       shell: bash
       run: |
@@ -42,7 +44,8 @@ runs:
     - name: Create and apply Template Operator ModuleTemplate with ModuleDeploymentNameInNewerVersion
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
-        matrix.e2e-test != 'mandatory-module-metrics'
+        matrix.e2e-test != 'mandatory-module-metrics' &&
+        matrix.e2e-test != 'watcher-zero-downtime'
         }}
       shell: bash
       run: |

.github/workflows/check-manifests-changes.yml

@@ -0,0 +1,123 @@
+name: "Check If Manifests Change"
+
+env:
+  PR_CACHE_KEY: pr-manifests-${{ github.run_id }}-${{ github.run_attempt }}
+  MAIN_CACHE_KEY: main-manifests-${{ github.run_id }}-${{ github.run_attempt }}
+
+on:
+  pull_request_target:
+
+jobs:
+  create-pr-manifests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+
+      - name: Create manifests on PR branch
+        run: |
+          make dry-run-control-plane
+          mkdir -p ./cache/pr
+          mv ./dry-run/manifests.yaml ./cache/pr/manifests.yaml
+
+      - name: Save PR manifests in cache
+        uses: actions/cache@v3
+        with:
+          path: ./cache/pr/
+          key: ${{ env.PR_CACHE_KEY }}
+
+  create-main-manifests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout main branch
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Create manifests on main branch
+        run: |
+          make dry-run-control-plane
+          mkdir -p ./cache/main
+          mv ./dry-run/manifests.yaml ./cache/main/manifests.yaml
+
+      - name: Save main manifests in cache
+        uses: actions/cache@v3
+        with:
+          path: ./cache/main/
+          key: ${{ env.MAIN_CACHE_KEY }}
+
+  diff-manifests:
+    needs:
+      - create-pr-manifests
+      - create-main-manifests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore PR manifests from cache
+        uses: actions/cache@v3
+        with:
+          path: ./cache/pr/
+          key: ${{ env.PR_CACHE_KEY }}
+
+      - name: Restore main manifests from cache
+        uses: actions/cache@v3
+        with:
+          path: ./cache/main/
+          key: ${{ env.MAIN_CACHE_KEY }}
+
+      - name: Compare Manifests
+        id: compare-manifests
+        run: |
+          set +e
+          DIFF_OUTPUT=$(diff ./cache/pr/manifests.yaml ./cache/main/manifests.yaml)
+          EXIT_CODE=$?
+          if [[ $EXIT_CODE != 0 ]]; then
+            echo "❌ Detected differences in manifest outputs!"
+            echo "$DIFF_OUTPUT"
+            echo "manifests_diff_detected=true" >> $GITHUB_OUTPUT
+          else
+            echo "✅ No differences in manifest outputs detected."
+            echo "manifests_diff_detected=false" >> $GITHUB_OUTPUT
+          fi
+          exit 0
+
+      - name: Add PR Comment if Manifest Differences Detected
+        if: steps.compare-manifests.outputs.manifests_diff_detected == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: "❌ **Manifests created with 'make dry-run-control-plane' changed!** Please make sure to check if changes are needed in related repositories like management-plane-charts, runtime-watchter, etc.."
+            });
+            github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              labels: ["manifests-diff"]
+            });
+
+      - name: Remove 'manifests-diff' Label if No Differences
+        if: steps.compare-manifests.outputs.manifests_diff_detected == 'false'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const labelName = 'manifests-diff';
+            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+            });
+            if (labels.some(label => label.name === labelName)) {
+              console.log(`Label "${labelName}" found, removing it.`);
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                name: labelName,
+              });
+            } else {
+              console.log(`Label "${labelName}" not found, skipping removal.`);
+            }
+

.github/workflows/check-pipeline-changes.yml

@@ -0,0 +1,87 @@
+name: "Check Pipeline Changes"
+
+on:
+  pull_request_target:
+
+jobs:
+  check-pipeline-changes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get list of changed files
+        id: changed-files
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: files } = await github.rest.pulls.listFiles({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            // Define the pipeline-related paths to watch
+            const pathsToCheck = [
+              ".github/actions",
+              ".github/workflows/test-e2e.yml",
+              ".github/workflows/test-e2e-with-modulereleasemeta.yml",
+              ".github/scripts",
+              "scripts/tests",
+              "versions.yaml"
+            ];
+            
+            const pipelineFiles = files.filter(file => 
+              pathsToCheck.some(path => file.filename === path || file.filename.startsWith(path + '/'))
+            );
+            core.setOutput('pipelineFiles', pipelineFiles.map(file => file.filename).join(','));
+
+      - name: Evaluate Pipeline Changes
+        id: eval-changes
+        run: |
+          echo "Changed pipeline-related files:"
+          echo "${{ steps.changed-files.outputs.pipelineFiles }}" | tr ',' '\n'
+          if [ -n "${{ steps.changed-files.outputs.pipelineFiles }}" ]; then
+            echo "⚠️ Pipeline-related changes detected!"
+            echo "pipeline_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "✅ No pipeline-related changes detected."
+            echo "pipeline_changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Add PR Comment & Label if Pipeline Changes Detected
+        if: steps.eval-changes.outputs.pipeline_changed == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: "⚠️ **Pipeline-related file changes detected!** Please review if related updates (e.g. manifest generation or workflow adjustments) are required."
+            });
+            github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number, 
+              labels: ["pipeline-changed"]
+            });
+
+      - name: Remove 'pipeline-changed' Label if No Changes Detected
+        if: steps.eval-changes.outputs.pipeline_changed == 'false'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const labelName = 'pipeline-changed';
+            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+            });
+            if (labels.some(label => label.name === labelName)) {
+              console.log(`Label "${labelName}" found, removing it.`);
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                name: labelName,
+              });
+            } else {
+              console.log(`Label "${labelName}" not found, skipping removal.`);
+            }

.github/workflows/test-e2e-with-modulereleasemeta.yml

@@ -54,8 +54,7 @@ jobs:
           - modulereleasemeta-module-upgrade-new-version
           - unmanage-module
           - skip-manifest-reconciliation
-          - ca-certificate-rotation
-          - istio-gateway-secret-rotation
+          - legacy-istio-gateway-secret-rotation
           - self-signed-certificate-rotation
           - mandatory-module
           - mandatory-module-metrics
@@ -70,6 +69,7 @@ jobs:
           - maintenance-windows
           - maintenance-windows-initial-installation
           - maintenance-windows-skip
+          - watcher-zero-downtime
 
     runs-on: ubuntu-latest
     timeout-minutes: 20

.github/workflows/test-e2e.yml

@@ -55,8 +55,7 @@ jobs:
           - unmanage-module
           - module-install-by-version
           - skip-manifest-reconciliation
-          - ca-certificate-rotation
-          - istio-gateway-secret-rotation
+          - legacy-istio-gateway-secret-rotation
           - self-signed-certificate-rotation
           - mandatory-module-with-old-naming-pattern
           - mandatory-module-metrics-with-old-naming-pattern

.golangci.yaml

@@ -134,6 +134,8 @@ linters-settings:
         alias: watcherctrl
       - pkg: github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/client
         alias: gatewaysecretclient
+      - pkg: github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/handler
+        alias: gatewaysecrethandler
   ireturn:
     allow:
       - anon

.run/Launch KLM locally.run.xml

@@ -2,7 +2,7 @@
   <configuration default="false" name="Launch KLM locally" type="GoApplicationRunConfiguration" factoryName="Go Application">
     <module name="lifecycle-manager" />
     <working_directory value="$PROJECT_DIR$" />
-    <parameters value="--in-kcp-mode --enable-kcp-watcher --skr-watcher-image-tag=1.1.7" />
+    <parameters value="--in-kcp-mode --enable-kcp-watcher --skr-watcher-image-tag=1.1.10" />
     <envs>
       <env name="KUBECONFIG" value="$USER_HOME$/.k3d/kcp-local.yaml" />
     </envs>

.vscode/tasks.json

@@ -117,7 +117,6 @@
         "module-upgrade-new-version",
         "unmanage-module",
         "skip-manifest-reconciliation",
-        "ca-certificate-rotation",
         "self-signed-certificate-rotation",
         "mandatory-module",
         "mandatory-module-metrics",

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.23.5-alpine as builder
+FROM golang:1.23.6-alpine as builder
 
 WORKDIR /lifecycle-manager
 # Copy the Go Modules manifests