Bump k8s.io/* to v1.35

[afritzler]

Summary by CodeRabbit

• Chores
  • Updated Kubernetes modules to v0.35.0 and controller-runtime to v0.23.0
  • Bumped golangci-lint to v2.8 and controller-tools to v0.20.0
  • Updated test infra to use Kubernetes 1.35.0 binaries
• Refactor
  • Streamlined internal resource handling and webhook validations for clearer, typed validation flows
• Documentation
  • Updated API reference links and docs to Kubernetes v1.35 targets

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@afritzler has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 15 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Updated tooling and Kubernetes dependencies, regenerated CRD metadata annotations, migrated webhook validators from runtime.Object to strongly-typed parameters, switched some controller resource updates from Patch to Apply, simplified probe implementations to return literal slices, and bumped test binary versions to 1.35.0.

Changes

Cohort / File(s)	Summary
Dependency & CI /.github/workflows/lint.yml, Makefile, go.mod	Bumped golangci-lint v2.5→v2.8, controller-tools v0.19.0→v0.20.0, Kubernetes modules and controller-runtime to v0.35.0/v0.23.0; removed indirect gogo/protobuf.
CRD manifests config/crd/bases/metal.ironcore.dev_*.yaml	Updated controller-gen kubebuilder annotation from v0.19.0→v0.20.0 across all CRD YAMLs; no schema changes.
Webhook validators internal/webhook/v1alpha1/biossettings_webhook.go, .../biosversion_webhook.go, .../bmcsettings_webhook.go, .../bmcversion_webhook.go, .../endpoint_webhook.go, .../server_webhook.go	Replaced runtime.Object parameters with strongly-typed *metalv1alpha1 types for ValidateCreate/Update/Delete; updated webhook registration to pass concrete objects; removed runtime type assertions and unused validator var declarations; adjusted error/field paths and logging.
Controller changes (apply vs patch) internal/controller/bmc_controller.go, internal/controller/server_controller.go	Renamed BMC method handleAnnotionOperations→handleAnnotationOperations; switched DNS/secret updates from Patch/SetControllerReference to Apply-based applyconfigurations with WithOwnerReferences.
Probe simplifications internal/probe/*_darwin.go, internal/probe/system_info_darwin.go	Replaced make/append patterns with direct slice literals and removed intermediate variables/logs; same returned data and nil errors.
Tests & suites internal/*/suite_test.go, internal/cmd/move/move_test.go, internal/webhook/v1alpha1/webhook_suite_test.go	Updated BinaryAssetsDirectory Kubernetes version to 1.35.0; small test refactors (unused import removal, slice preallocation replacement, direct assertions).
Docs & tooling config docs/api-reference/api.md, hack/api-reference/config.yaml	Updated API docs and api-reference config to reference Kubernetes v1.35 links; render.kubernetesVersion bumped to 1.35.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Refactor BIOSVersion webhook #575 — Similar webhook validator signature/type migration for BIOSVersion and related validation logic.

Suggested labels

documentation, minor, size/XL

Suggested reviewers

• Nuckal777
• nagadeesh-nagaraja
• davidgrun

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is empty, lacking any proposed changes, context, or issue references required by the repository template.	Add a description following the template: summarize the proposed changes (dependency version updates, testing considerations), and reference any related issues or PR objectives.
Docstring Coverage	⚠️ Warning	Docstring coverage is 43.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Bump k8s.io/* to v1.35' clearly and concisely describes the main change of updating Kubernetes dependencies from v1.34 to v1.35 across the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@internal/controller/server_controller.go`:
- Around line 625-671: The OwnerReference construction using
bootConfig.APIVersion and bootConfig.Kind must be replaced with hardcoded values
to avoid SSA validation failures: create a single ownerRef (replace both
duplicated metav1apply.OwnerReference() blocks) that sets APIVersion to
"metal.ironcore.dev/v1alpha1" and Kind to "ServerBootConfiguration", keep the
WithName/WithUID/WithController/WithBlockOwnerDeletion calls as-is, and reuse
that ownerRef for both sshSecretApply and ignitionSecretApply to remove the
duplicated blocks.

In `@internal/webhook/v1alpha1/biossettings_webhook.go`:
- Around line 91-95: The error string mistakenly says "BMC" instead of "Server";
update the fmt.Errorf call that builds the duplicate reference message (the one
using settings.Spec.ServerRef.Name, settings.Name, bs.Spec.ServerRef.Name,
bs.Name) to refer to "Server" or "ServerRef" (e.g., "Server (%s) referred in %s
is duplicate of Server (%s) referred in %s") so the message correctly reflects
BIOSSettings' ServerRef usage.

🧹 Nitpick comments (2)

internal/webhook/v1alpha1/endpoint_webhook.go (1)

96-96: Inconsistent field path casing between create and update validations.

Line 96 uses "MACAddress" while Line 113 uses "macAddress". Consider aligning both to use consistent casing (typically macAddress to match JSON field naming conventions).

🔧 Suggested fix

 	for _, e := range endpoints.Items {
 		if e.Spec.MACAddress == spec.MACAddress {
-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("MACAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("macAddress"), e.Spec.MACAddress))
 		}
 	}

Also applies to: 113-113

internal/webhook/v1alpha1/bmcversion_webhook.go (1)

75-92: Redundant Get call - the object is already provided as parameter.

The ValidateDelete method fetches the BMCVersion via v.Client.Get(), but the admission request already provides the complete object in obj. This is unnecessary and could introduce race conditions if the object changes between the admission request and the Get call.

Other webhook files in this PR (e.g., biosversion_webhook.go, biossettings_webhook.go) directly use obj.Status.State without re-fetching.

♻️ Suggested simplification

 func (v *BMCVersionCustomValidator) ValidateDelete(ctx context.Context, obj *metalv1alpha1.BMCVersion) (admission.Warnings, error) {
 	bmcversionlog.Info("Validation for BMCVersion upon deletion", "name", obj.GetName())
 
-	bv := &metalv1alpha1.BMCVersion{}
-	err := v.Client.Get(ctx, client.ObjectKey{
-		Name:      obj.GetName(),
-		Namespace: obj.GetNamespace(),
-	}, bv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get BMCVersion: %w", err)
-	}
-
-	if bv.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
+	if obj.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
 		return nil, apierrors.NewBadRequest("Unable to delete BMCVersion as it is in progress")
 	}
 
 	return nil, nil
 }

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/webhook/v1alpha1/endpoint_webhook.go (1)

86-114: Keep MAC address error paths consistent across create/update.

The ValidateMACAddressCreate function reports spec.MACAddress (uppercase), while ValidateMACAddressUpdate reports spec.macAddress (lowercase). Additionally, both functions ignore the path parameter passed to them and create a new path instead. Use path.Child("macAddress") in both functions to maintain consistency and properly utilize the path context.

🔧 Proposed fix

-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("MACAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(path.Child("macAddress"), e.Spec.MACAddress))

-			allErrs = append(allErrs, field.Duplicate(field.NewPath("spec").Child("macAddress"), e.Spec.MACAddress))
+			allErrs = append(allErrs, field.Duplicate(path.Child("macAddress"), e.Spec.MACAddress))

🤖 Fix all issues with AI agents

In `@docs/api-reference/api.md`:
- Around line 452-455: The table contains bare URLs (e.g., the RFC link in the
`data` row and the Kubernetes links in the `type` row) that trigger markdownlint
MD034; update those bare URLs to use Markdown autolinks (wrap each URL in angle
brackets, e.g. <https://...>) so they are recognized as links by the linter
while preserving the existing text and links for the `data` and `type` table
rows.

In `@internal/webhook/v1alpha1/bmcsettings_webhook.go`:
- Around line 64-66: The apierrors.NewInvalid call constructs schema.GroupKind
using mixed sources (newObj.GroupVersionKind().Group and oldObj.Kind); change it
so both Group and Kind come from the same object (use newObj). Replace the Kind
argument (oldObj.Kind) with newObj.GroupVersionKind().Kind (or newObj's
equivalent) in the schema.GroupKind constructor inside the return statement in
bmcsettings_webhook.go where NewInvalid is called.

🧹 Nitpick comments (1)

internal/webhook/v1alpha1/bmcversion_webhook.go (1)

78-89: Redundant API fetch in ValidateDelete.

The obj parameter already contains the BMCVersion being deleted. Re-fetching it from the API server (lines 78-85) is unnecessary, adds latency, and introduces a potential race condition if the object state changes between the admission request and the re-fetch.

Compare with bmcsettings_webhook.go which correctly uses obj directly:

if obj.Status.State == metalv1alpha1.BMCSettingsStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {

Proposed fix to use obj directly

 func (v *BMCVersionCustomValidator) ValidateDelete(ctx context.Context, obj *metalv1alpha1.BMCVersion) (admission.Warnings, error) {
 	bmcversionlog.Info("Validation for BMCVersion upon deletion", "name", obj.GetName())
 
-	bv := &metalv1alpha1.BMCVersion{}
-	err := v.Client.Get(ctx, client.ObjectKey{
-		Name:      obj.GetName(),
-		Namespace: obj.GetNamespace(),
-	}, bv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get BMCVersion: %w", err)
-	}
-
-	if bv.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
+	if obj.Status.State == metalv1alpha1.BMCVersionStateInProgress && !ShouldAllowForceDeleteInProgress(obj) {
 		return nil, apierrors.NewBadRequest("Unable to delete BMCVersion as it is in progress")
 	}
 
 	return nil, nil
 }