OCPBUGS-60704: operator: switch out VAP v1beta1 to v1

go.mod

@@ -31,7 +31,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/openshift/api v0.0.0-20240801145124-1cd5e2993247
 	github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87
-	github.com/openshift/library-go v0.0.0-20240607134135-aed018c215a1
+	github.com/openshift/library-go v0.0.0-20250821150749-08d89313a9b1
 	github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b
 	github.com/prometheus/client_golang v1.17.0
 	github.com/spf13/cobra v1.8.0

go.sum

@@ -601,8 +601,8 @@ github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87 h1:JtLhaGpSEco
 github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87/go.mod h1:3IPD4U0qyovZS4EFady2kqY32m8lGcbs/Wx+yprg9z8=
 github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0 h1:GPlAy197Jkr+D0T2FNWanamraTdzS/r9ZkT29lxvHaA=
 github.com/openshift/kube-openapi v0.0.0-20230816122517-ffc8f001abb0/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
-github.com/openshift/library-go v0.0.0-20240607134135-aed018c215a1 h1:jLERUXwvYY9+9oCz66oQ/XTZzeyH8RmCpxiImYVYnmA=
-github.com/openshift/library-go v0.0.0-20240607134135-aed018c215a1/go.mod h1:PdASVamWinll2BPxiUpXajTwZxV8A1pQbWEsCN1od7I=
+github.com/openshift/library-go v0.0.0-20250821150749-08d89313a9b1 h1:kSg+RCw4SFj1s7qNStKGfhjZudVsfEeqCOvuNlwLYuM=
+github.com/openshift/library-go v0.0.0-20250821150749-08d89313a9b1/go.mod h1:PdASVamWinll2BPxiUpXajTwZxV8A1pQbWEsCN1od7I=
 github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b h1:oXzC1N6E9gw76/WH2gEA8GEHvuq09wuVQ9GoCuR8GF4=
 github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b/go.mod h1:l9/qeKZuAmYUMl0yicJlbkPGDsIycGhwxOvOAWyaP0E=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=

manifests/machineconfigcontroller/machineconfiguration-guards-validatingadmissionpolicy.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "machine-configuration-guards"

manifests/machineconfigcontroller/machineconfiguration-guards-validatingadmissionpolicybinding.yaml

@@ -1,7 +1,7 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: "machine-configuration-guards-binding"
 spec:
   policyName: "machine-configuration-guards"
-  validationActions: [Deny]
+  validationActions: [Deny]

manifests/machineconfigcontroller/update-bootimages-validatingadmissionpolicy.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "managed-bootimages-platform-check"

manifests/machineconfigcontroller/update-bootimages-validatingadmissionpolicybinding.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: "managed-bootimages-platform-check-binding"
@@ -7,4 +7,4 @@ spec:
   validationActions: [Deny]
   paramRef:
     name: "cluster"
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Deny"

manifests/machineconfigdaemon/mcn-guards-validatingadmissionpolicy.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "mcn-guards"

manifests/machineconfigdaemon/mcn-guards-validatingadmissionpolicybinding.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: "mcn-guards-binding"

pkg/operator/sync.go

@@ -943,33 +943,29 @@ func (optr *Operator) applyManifests(config *renderConfig, paths manifestPaths)
 			return fmt.Errorf("received nil feature gates")
 		}
 
-		// Only sync validatingadmissionpolicy manifests if ValidatingAdmissionPolicy feature gate is enabled
-		if fg.Enabled(features.FeatureGateValidatingAdmissionPolicy) {
-
-			// These new apply functions have a resource cache in case there are duplicate CRs
-			noCache := resourceapply.NewResourceCache()
-			for _, path := range paths.validatingAdmissionPolicies {
-				vapBytes, err := renderAsset(config, path)
-				if err != nil {
-					return err
-				}
-				vap := resourceread.ReadValidatingAdmissionPolicyV1beta1OrDie(vapBytes)
-				_, _, err = resourceapply.ApplyValidatingAdmissionPolicyV1beta1(context.TODO(), optr.kubeClient.AdmissionregistrationV1beta1(), optr.libgoRecorder, vap, noCache)
-				if err != nil {
-					return err
-				}
+		// These new apply functions have a resource cache in case there are duplicate CRs
+		noCache := resourceapply.NewResourceCache()
+		for _, path := range paths.validatingAdmissionPolicies {
+			vapBytes, err := renderAsset(config, path)
+			if err != nil {
+				return err
+			}
+			vap := resourceread.ReadValidatingAdmissionPolicyV1OrDie(vapBytes)
+			_, _, err = resourceapply.ApplyValidatingAdmissionPolicyV1(context.TODO(), optr.kubeClient.AdmissionregistrationV1(), optr.libgoRecorder, vap, noCache)
+			if err != nil {
+				return err
 			}
+		}
 
-			for _, path := range paths.validatingAdmissionPolicyBindings {
-				vapbBytes, err := renderAsset(config, path)
-				if err != nil {
-					return err
-				}
-				vapb := resourceread.ReadValidatingAdmissionPolicyBindingV1beta1OrDie(vapbBytes)
-				_, _, err = resourceapply.ApplyValidatingAdmissionPolicyBindingV1beta1(context.TODO(), optr.kubeClient.AdmissionregistrationV1beta1(), optr.libgoRecorder, vapb, noCache)
-				if err != nil {
-					return err
-				}
+		for _, path := range paths.validatingAdmissionPolicyBindings {
+			vapbBytes, err := renderAsset(config, path)
+			if err != nil {
+				return err
+			}
+			vapb := resourceread.ReadValidatingAdmissionPolicyBindingV1OrDie(vapbBytes)
+			_, _, err = resourceapply.ApplyValidatingAdmissionPolicyBindingV1(context.TODO(), optr.kubeClient.AdmissionregistrationV1(), optr.libgoRecorder, vapb, noCache)
+			if err != nil {
+				return err
 			}
 		}
 		return nil