UPSTREAM: <carry>: Pin IPAM CRD manifests to CAPI from release-4.20

We can't push v1beta2 IPAM to production clusters without also running
the conversion webhook, so we pin to the last released version which did
not have it.

TPNU clusters continue to get the latest CAPI.

Author: mdbooth

openshift/Makefile

@@ -1,10 +1,13 @@
-BIN_DIR := bin
 TOOLS_DIR := tools
 
 $(RELEASE_DIR):
 	mkdir -p $(RELEASE_DIR)/
 
-MANIFESTS_GEN := go run ./vendor/github.com/openshift/cluster-capi-operator/manifests-gen/
+MANIFESTS_GEN := $(TOOLS_DIR)/bin/manifests-gen
+KUSTOMIZE := $(TOOLS_DIR)/bin/kustomize
+
+$(TOOLS_DIR)/bin/%:
+	$(MAKE) -C $(TOOLS_DIR) bin/$*
 
 .PHONY: check-env
 check-env:
@@ -16,8 +19,21 @@ endif
 update-manifests-gen:
 	cd tools && go get github.com/openshift/cluster-capi-operator/manifests-gen && go mod tidy && go mod vendor
 
+.PHONY: update-ipam-ref
+update-ipam-ref:
+	# Get the current HEAD of the release-4.20 branch
+	$(eval current_head := $(shell git ls-remote https://github.com/openshift/cluster-api release-4.20 | awk '$$2 == "refs/heads/release-4.20" {print $$1}'))
+
+	# Pin the current head in the ipam CRD kustomize resource target
+	sed -i "s,https://github.com/openshift/cluster-api/config/crd?ref=.*,https://github.com/openshift/cluster-api/config/crd?ref=$(current_head)," ipam/kustomization.yaml
+
+.PHONY: ipam-manifests
+ipam-manifests: $(KUSTOMIZE)
+	$(KUSTOMIZE) build ipam -o manifests/0000_30_cluster-api_04_crd.core-cluster-api.yaml
+
+# Rebasebot runs ocp-manifests, so we make it generate ipam-manifests too
 .PHONY: ocp-manifests
-ocp-manifests: $(RELEASE_DIR) check-env ## Builds openshift specific manifests
+ocp-manifests: ipam-manifests $(MANIFESTS_GEN) check-env | $(RELEASE_DIR) ## Builds openshift specific manifests
 	# Generate provider manifests.
 	# TODO: load the provider-version dynamically at rebase time when this is invoked by the Rebase Bot during one of its lifecycle hooks.
-	cd tools && $(MANIFESTS_GEN) --provider-name "cluster-api" --provider-type "CoreProvider" --provider-version "${PROVIDER_VERSION}" --base-path "../../" --manifests-path "../manifests" --kustomize-dir="openshift"
+	$(MANIFESTS_GEN) --provider-name "cluster-api" --provider-type "CoreProvider" --provider-version "${PROVIDER_VERSION}" --base-path "../" --manifests-path "./manifests" --kustomize-dir="openshift"

openshift/ipam/kustomization.yaml

@@ -0,0 +1,50 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# MAPV uses the CAPI IPAM CRDs. Until CAPI reaches GA, these CRDs must be
+# separately installed in production clusters. This workaround can be removed
+# when CAPI reaches GA: they will be installed via the CAPI Operator manifests
+# along with all other CAPI CRDs.
+#
+# In 4.21 we bumped CAPI to a version which includes v1beta2, and therefore
+# requires a conversion webhook. This would break production vsphere clusters
+# using IPAM, because we are not yet deploying this webhook in production
+# clusters. As MAPV does not require the v1beta2 IPAM CRDs, we pin them at the
+# versions shipped in 4.20 for now.
+
+commonAnnotations:
+  # Boilerplate annotations
+  exclude.release.openshift.io/internal-openshift-hosted: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+
+  # Instructs CVO to only install these resources in clusters with the Default
+  # featureset. Specifically this means that they will not be installed in
+  # (TechPreview|Custom|Dev)NoUpgrade clusters.
+  release.openshift.io/feature-set: Default
+
+resources:
+# Pinned at 4.20, as that was the last release which didn't have v1beta2
+- https://github.com/openshift/cluster-api/config/crd?ref=de1db2970e7fede7101e5a8188e74942ab6665e3
+
+# Together these 2 patches remove all CRDs except those with the name suffix
+# '.ipam.cluster.x-k8s.io'
+patches:
+
+# First add the local-config annotation to all CRDs.
+# kustomize will not emit resources with this annotation
+- target:
+    kind: CustomResourceDefinition
+  patch: |
+    - op: "add"
+      path: "/metadata/annotations/config.kubernetes.io~1local-config"
+      value: "true"
+
+# Then selectively remove the local-config annotation from CRDs in
+# ipam.cluster.x-k8s.io, meaning they will be emitted
+- target:
+    kind: CustomResourceDefinition
+    name: '.*\.ipam\.cluster\.x-k8s\.io$'
+  patch: |
+    - op: remove
+      path: "/metadata/annotations/config.kubernetes.io~1local-config"

openshift/tools/.gitignore

@@ -1,2 +1 @@
-bin
-bin/*
+./bin

openshift/tools/Makefile

@@ -0,0 +1,18 @@
+BIN_DIR := bin
+
+MANIFESTS_GEN := bin/manifests-gen
+KUSTOMIZE := bin/kustomize
+
+$(MANIFESTS_GEN): pkg = github.com/openshift/cluster-capi-operator/manifests-gen
+$(KUSTOMIZE): pkg = sigs.k8s.io/kustomize/kustomize/v5
+
+.PHONY: default
+default: $(MANIFESTS_GEN) $(KUSTOMIZE)
+
+$(BIN_DIR):
+	mkdir -p $(BIN_DIR)
+
+$(BIN_DIR)/%: _FORCE | $(BIN_DIR)
+	go build -o $@ $(pkg)
+
+.PHONY: _FORCE

openshift/tools/go.mod

@@ -4,7 +4,10 @@ go 1.24.0
 
 toolchain go1.24.3
 
-require github.com/openshift/cluster-capi-operator/manifests-gen v0.0.0-20251128150503-3d0f9cd4dcdf
+require (
+	github.com/openshift/cluster-capi-operator/manifests-gen v0.0.0-20251209152545-de2bd18f0a52
+	sigs.k8s.io/kustomize/kustomize/v5 v5.8.0
+)
 
 require (
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -20,80 +23,85 @@ require (
 	github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
-	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
-	github.com/gobuffalo/flect v1.0.3 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-github/v53 v53.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/onsi/gomega v1.38.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.64.0 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/spf13/viper v1.20.0 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.33.3 // indirect
-	k8s.io/apiextensions-apiserver v0.33.3 // indirect
-	k8s.io/apimachinery v0.33.3 // indirect
-	k8s.io/client-go v0.33.3 // indirect
-	k8s.io/cluster-bootstrap v0.32.3 // indirect
-	k8s.io/component-base v0.33.3 // indirect
+	k8s.io/api v0.34.1 // indirect
+	k8s.io/apiextensions-apiserver v0.34.1 // indirect
+	k8s.io/apimachinery v0.34.1 // indirect
+	k8s.io/client-go v0.34.1 // indirect
+	k8s.io/cluster-bootstrap v0.33.3 // indirect
+	k8s.io/component-base v0.34.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
-	sigs.k8s.io/cluster-api v1.10.4 // indirect
-	sigs.k8s.io/controller-runtime v0.20.4 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect
+	sigs.k8s.io/cluster-api v1.11.3 // indirect
+	sigs.k8s.io/controller-runtime v0.22.4 // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/kustomize/api v0.19.0 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
+	sigs.k8s.io/kustomize/api v0.21.0 // indirect
+	sigs.k8s.io/kustomize/cmd/config v0.21.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.21.0 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )

openshift/tools/tools.go

@@ -4,4 +4,5 @@ package tools
 
 import (
 	_ "github.com/openshift/cluster-capi-operator/manifests-gen"
+	_ "sigs.k8s.io/kustomize/kustomize/v5"
 )