rebase: bump sigs.k8s.io/controller-runtime

Bumps the k8s-dependencies group with 1 update in the / directory: [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime).


Updates `sigs.k8s.io/controller-runtime` from 0.19.4 to 0.20.1
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.4...v0.20.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: k8s-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter.go

@@ -1,84 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package admission
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-
-	admissionv1 "k8s.io/api/admission/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-)
-
-// Defaulter defines functions for setting defaults on resources.
-// Deprecated: Ue CustomDefaulter instead.
-type Defaulter interface {
-	runtime.Object
-	Default()
-}
-
-// DefaultingWebhookFor creates a new Webhook for Defaulting the provided type.
-// Deprecated: Use WithCustomDefaulter instead.
-func DefaultingWebhookFor(scheme *runtime.Scheme, defaulter Defaulter) *Webhook {
-	return &Webhook{
-		Handler: &mutatingHandler{defaulter: defaulter, decoder: NewDecoder(scheme)},
-	}
-}
-
-type mutatingHandler struct {
-	defaulter Defaulter
-	decoder   Decoder
-}
-
-// Handle handles admission requests.
-func (h *mutatingHandler) Handle(ctx context.Context, req Request) Response {
-	if h.decoder == nil {
-		panic("decoder should never be nil")
-	}
-	if h.defaulter == nil {
-		panic("defaulter should never be nil")
-	}
-
-	// always skip when a DELETE operation received in mutation handler
-	// describe in https://github.com/kubernetes-sigs/controller-runtime/issues/1762
-	if req.Operation == admissionv1.Delete {
-		return Response{AdmissionResponse: admissionv1.AdmissionResponse{
-			Allowed: true,
-			Result: &metav1.Status{
-				Code: http.StatusOK,
-			},
-		}}
-	}
-
-	// Get the object in the request
-	obj := h.defaulter.DeepCopyObject().(Defaulter)
-	if err := h.decoder.Decode(req, obj); err != nil {
-		return Errored(http.StatusBadRequest, err)
-	}
-
-	// Default the object
-	obj.Default()
-	marshalled, err := json.Marshal(obj)
-	if err != nil {
-		return Errored(http.StatusInternalServerError, err)
-	}
-
-	// Create the patch
-	return PatchResponseFromRaw(req.Object.Raw, marshalled)
-}

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go

@@ -21,11 +21,14 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"slices"
 
+	"gomodules.xyz/jsonpatch/v2"
 	admissionv1 "k8s.io/api/admission/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 // CustomDefaulter defines functions for setting defaults on resources.
@@ -33,17 +36,41 @@ type CustomDefaulter interface {
 	Default(ctx context.Context, obj runtime.Object) error
 }
 
+type defaulterOptions struct {
+	removeUnknownOrOmitableFields bool
+}
+
+// DefaulterOption defines the type of a CustomDefaulter's option
+type DefaulterOption func(*defaulterOptions)
+
+// DefaulterRemoveUnknownOrOmitableFields makes the defaulter prune fields that are in the json object retrieved by the
+// webhook but not in the local go type json representation. This happens for example when the CRD in the apiserver has
+// fields that our go type doesn't know about, because it's outdated, or the field has a zero value and is `omitempty`.
+func DefaulterRemoveUnknownOrOmitableFields(o *defaulterOptions) {
+	o.removeUnknownOrOmitableFields = true
+}
+
 // WithCustomDefaulter creates a new Webhook for a CustomDefaulter interface.
-func WithCustomDefaulter(scheme *runtime.Scheme, obj runtime.Object, defaulter CustomDefaulter) *Webhook {
+func WithCustomDefaulter(scheme *runtime.Scheme, obj runtime.Object, defaulter CustomDefaulter, opts ...DefaulterOption) *Webhook {
+	options := &defaulterOptions{}
+	for _, o := range opts {
+		o(options)
+	}
 	return &Webhook{
-		Handler: &defaulterForType{object: obj, defaulter: defaulter, decoder: NewDecoder(scheme)},
+		Handler: &defaulterForType{
+			object:                        obj,
+			defaulter:                     defaulter,
+			decoder:                       NewDecoder(scheme),
+			removeUnknownOrOmitableFields: options.removeUnknownOrOmitableFields,
+		},
 	}
 }
 
 type defaulterForType struct {
-	defaulter CustomDefaulter
-	object    runtime.Object
-	decoder   Decoder
+	defaulter                     CustomDefaulter
+	object                        runtime.Object
+	decoder                       Decoder
+	removeUnknownOrOmitableFields bool
 }
 
 // Handle handles admission requests.
@@ -76,6 +103,12 @@ func (h *defaulterForType) Handle(ctx context.Context, req Request) Response {
 		return Errored(http.StatusBadRequest, err)
 	}
 
+	// Keep a copy of the object if needed
+	var originalObj runtime.Object
+	if !h.removeUnknownOrOmitableFields {
+		originalObj = obj.DeepCopyObject()
+	}
+
 	// Default the object
 	if err := h.defaulter.Default(ctx, obj); err != nil {
 		var apiStatus apierrors.APIStatus
@@ -90,5 +123,43 @@ func (h *defaulterForType) Handle(ctx context.Context, req Request) Response {
 	if err != nil {
 		return Errored(http.StatusInternalServerError, err)
 	}
-	return PatchResponseFromRaw(req.Object.Raw, marshalled)
+
+	handlerResponse := PatchResponseFromRaw(req.Object.Raw, marshalled)
+	if !h.removeUnknownOrOmitableFields {
+		handlerResponse = h.dropSchemeRemovals(handlerResponse, originalObj, req.Object.Raw)
+	}
+	return handlerResponse
+}
+
+func (h *defaulterForType) dropSchemeRemovals(r Response, original runtime.Object, raw []byte) Response {
+	const opRemove = "remove"
+	if !r.Allowed || r.PatchType == nil {
+		return r
+	}
+
+	// If we don't have removals in the patch.
+	if !slices.ContainsFunc(r.Patches, func(o jsonpatch.JsonPatchOperation) bool { return o.Operation == opRemove }) {
+		return r
+	}
+
+	// Get the raw to original patch
+	marshalledOriginal, err := json.Marshal(original)
+	if err != nil {
+		return Errored(http.StatusInternalServerError, err)
+	}
+
+	patchOriginal, err := jsonpatch.CreatePatch(raw, marshalledOriginal)
+	if err != nil {
+		return Errored(http.StatusInternalServerError, err)
+	}
+	removedByScheme := sets.New(slices.DeleteFunc(patchOriginal, func(p jsonpatch.JsonPatchOperation) bool { return p.Operation != opRemove })...)
+
+	r.Patches = slices.DeleteFunc(r.Patches, func(p jsonpatch.JsonPatchOperation) bool {
+		return p.Operation == opRemove && removedByScheme.Has(p)
+	})
+
+	if len(r.Patches) == 0 {
+		r.PatchType = nil
+	}
+	return r
 }

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/validator.go

@@ -1,127 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package admission
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-
-	v1 "k8s.io/api/admission/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime"
-)
-
-// Warnings represents warning messages.
-type Warnings []string
-
-// Validator defines functions for validating an operation.
-// The custom resource kind which implements this interface can validate itself.
-// To validate the custom resource with another specific struct, use CustomValidator instead.
-// Deprecated: Use CustomValidator instead.
-type Validator interface {
-	runtime.Object
-
-	// ValidateCreate validates the object on creation.
-	// The optional warnings will be added to the response as warning messages.
-	// Return an error if the object is invalid.
-	ValidateCreate() (warnings Warnings, err error)
-
-	// ValidateUpdate validates the object on update. The oldObj is the object before the update.
-	// The optional warnings will be added to the response as warning messages.
-	// Return an error if the object is invalid.
-	ValidateUpdate(old runtime.Object) (warnings Warnings, err error)
-
-	// ValidateDelete validates the object on deletion.
-	// The optional warnings will be added to the response as warning messages.
-	// Return an error if the object is invalid.
-	ValidateDelete() (warnings Warnings, err error)
-}
-
-// ValidatingWebhookFor creates a new Webhook for validating the provided type.
-// Deprecated: Use WithCustomValidator instead.
-func ValidatingWebhookFor(scheme *runtime.Scheme, validator Validator) *Webhook {
-	return &Webhook{
-		Handler: &validatingHandler{validator: validator, decoder: NewDecoder(scheme)},
-	}
-}
-
-type validatingHandler struct {
-	validator Validator
-	decoder   Decoder
-}
-
-// Handle handles admission requests.
-func (h *validatingHandler) Handle(ctx context.Context, req Request) Response {
-	if h.decoder == nil {
-		panic("decoder should never be nil")
-	}
-	if h.validator == nil {
-		panic("validator should never be nil")
-	}
-	// Get the object in the request
-	obj := h.validator.DeepCopyObject().(Validator)
-
-	var err error
-	var warnings []string
-
-	switch req.Operation {
-	case v1.Connect:
-		// No validation for connect requests.
-		// TODO(vincepri): Should we validate CONNECT requests? In what cases?
-	case v1.Create:
-		if err = h.decoder.Decode(req, obj); err != nil {
-			return Errored(http.StatusBadRequest, err)
-		}
-
-		warnings, err = obj.ValidateCreate()
-	case v1.Update:
-		oldObj := obj.DeepCopyObject()
-
-		err = h.decoder.DecodeRaw(req.Object, obj)
-		if err != nil {
-			return Errored(http.StatusBadRequest, err)
-		}
-		err = h.decoder.DecodeRaw(req.OldObject, oldObj)
-		if err != nil {
-			return Errored(http.StatusBadRequest, err)
-		}
-
-		warnings, err = obj.ValidateUpdate(oldObj)
-	case v1.Delete:
-		// In reference to PR: https://github.com/kubernetes/kubernetes/pull/76346
-		// OldObject contains the object being deleted
-		err = h.decoder.DecodeRaw(req.OldObject, obj)
-		if err != nil {
-			return Errored(http.StatusBadRequest, err)
-		}
-
-		warnings, err = obj.ValidateDelete()
-	default:
-		return Errored(http.StatusBadRequest, fmt.Errorf("unknown operation %q", req.Operation))
-	}
-
-	if err != nil {
-		var apiStatus apierrors.APIStatus
-		if errors.As(err, &apiStatus) {
-			return validationResponseFromStatus(false, apiStatus.Status()).WithWarnings(warnings...)
-		}
-		return Denied(err.Error()).WithWarnings(warnings...)
-	}
-	return Allowed("").WithWarnings(warnings...)
-}

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/validator_custom.go

@@ -27,6 +27,9 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+// Warnings represents warning messages.
+type Warnings []string
+
 // CustomValidator defines functions for validating an operation.
 // The object to be validated is passed into methods as a parameter.
 type CustomValidator interface {