OCPCLOUD-3101: Merge https://github.com/kubernetes-sigs/cluster-api-provider-azure:v1.21.1 (8ee5386) into master

.github/workflows/codeql.yml

@@ -41,16 +41,16 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/autobuild@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependabot-code-gen.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
       with:
         egress-policy: audit
     - name: Set up Go 1.x
@@ -29,8 +29,8 @@ jobs:
         go-version: '1.22'
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # tag=v4.2.3
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # tag=v4.2.4
       name: Restore go cache
       with:
         path: |

.github/workflows/dependency-review.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1

.github/workflows/pr-golangci-lint.yaml

@@ -18,7 +18,7 @@ jobs:
           - ""
           - test
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
 
       - name: Calculate go version
         id: vars

.github/workflows/scorecards.yml

@@ -31,12 +31,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
         with:
           sarif_file: results.sarif

.github/workflows/weekly-security-scan.yaml

@@ -0,0 +1,32 @@
+name: Weekly security scan
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.20, release-1.19 ]
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
+      with:
+        ref: ${{ matrix.branch }}
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+    - name: Set up Go
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # tag=v5.5.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    - name: Run verify security target
+      run: make verify-security

CHANGELOG/v1.19.5.md

@@ -0,0 +1,26 @@
+## Changes by Kind
+
+### Other (Cleanup or Flake)
+
+- Bump CAPI to v1.9.8 ([#5675](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5675), [@mboersma](https://github.com/mboersma))
+- Bump CAPI to v1.9.9 ([#5713](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5713), [@mboersma](https://github.com/mboersma))
+- Remove community AKS marketplace extension from e2e tests because no longer valid ([#5647](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5647), [@alimaazamat](https://github.com/alimaazamat))
+
+## Dependencies
+_Nothing has changed._
+
+### Added
+_Nothing has changed._
+
+### Changed
+- github.com/cloudflare/circl: [v1.3.7 → v1.6.1](https://github.com/cloudflare/circl/compare/v1.3.7...v1.6.1)
+- github.com/coredns/corefile-migration: [v1.0.25 → v1.0.26](https://github.com/coredns/corefile-migration/compare/v1.0.25...v1.0.26)
+- sigs.k8s.io/cluster-api/test: v1.9.6 → v1.9.9
+- sigs.k8s.io/cluster-api: v1.9.6 → v1.9.9
+
+### Removed
+_Nothing has changed._
+
+## Details
+<!-- markdown-link-check-disable-next-line -->
+https://github.com/kubernetes-sigs/cluster-api-provider-azure/compare/v1.19.4...v1.19.5

CHANGELOG/v1.19.6.md

@@ -0,0 +1,26 @@
+## Changes by Kind
+
+### Bug or Regression
+
+- Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller. ([#5759](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5759), [@bryan-cox](https://github.com/bryan-cox))
+
+### Other (Cleanup or Flake)
+
+- Bump CAPI to v1.9.10 ([#5762](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5762), [@mboersma](https://github.com/mboersma))
+- Update default Kubernetes version to 1.32 ([#5764](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5764), [@jsturtevant](https://github.com/jsturtevant))
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+- sigs.k8s.io/cluster-api/test: v1.9.9 → v1.9.10
+- sigs.k8s.io/cluster-api: v1.9.9 → v1.9.10
+
+### Removed
+_Nothing has changed._
+
+## Details
+<!-- markdown-link-check-disable-next-line -->
+https://github.com/kubernetes-sigs/cluster-api-provider-azure/compare/v1.19.5...v1.19.6

CHANGELOG/v1.20.1.md

@@ -0,0 +1,22 @@
+## Changes by Kind
+
+### Other (Cleanup or Flake)
+
+- Bump CAPI to v1.10.3 ([#5729](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5729), [@mboersma](https://github.com/mboersma))
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+- github.com/cloudflare/circl: [v1.3.7 → v1.6.1](https://github.com/cloudflare/circl/compare/v1.3.7...v1.6.1)
+- sigs.k8s.io/cluster-api/test: v1.10.2 → v1.10.3
+- sigs.k8s.io/cluster-api: v1.10.2 → v1.10.3
+
+### Removed
+_Nothing has changed._
+
+## Details
+<!-- markdown-link-check-disable-next-line -->
+https://github.com/kubernetes-sigs/cluster-api-provider-azure/compare/v1.20.0...v1.20.1

CHANGELOG/v1.20.2.md

@@ -0,0 +1,26 @@
+## Changes by Kind
+
+### Bug or Regression
+
+- Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller. ([#5758](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5758), [@bryan-cox](https://github.com/bryan-cox))
+
+### Other (Cleanup or Flake)
+
+- Bump CAPI to v1.10.4 ([#5771](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5771), [@mboersma](https://github.com/mboersma))
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+- github.com/go-viper/mapstructure/v2: [v2.2.1 → v2.3.0](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)
+- sigs.k8s.io/cluster-api/test: v1.10.3 → v1.10.4
+- sigs.k8s.io/cluster-api: v1.10.3 → v1.10.4
+
+### Removed
+_Nothing has changed._
+
+## Details
+<!-- markdown-link-check-disable-next-line -->
+https://github.com/kubernetes-sigs/cluster-api-provider-azure/compare/v1.20.1...v1.20.2

CHANGELOG/v1.21.0.md

@@ -0,0 +1,76 @@
+## Changes by Kind
+
+### Deprecation
+
+- Warning messages added for deprecation of AzureManaged API ([#5699](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5699), [@alimaazamat](https://github.com/alimaazamat))
+
+### Feature
+
+- Add ability to optionally create the Private DNS Zone for unmanaged clusters instead of always creating one. Setting `PrivateDNSZone` within the `NetworkSpec` to `PrivateDNSZoneiCreationModeNone` will skip creating the Private DNS zone. ([#5666](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5666), [@sadasu](https://github.com/sadasu))
+
+### Bug or Regression
+
+- ASOAPI: Fixed a possible bug that could leave ASO resources dangling when they should be deleted. ([#5571](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5571), [@nojnhuh](https://github.com/nojnhuh))
+- Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller. ([#5552](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5552), [@bryan-cox](https://github.com/bryan-cox))
+- Dont give contributor access to byo identity in aks mgmt cluster creation ([#5802](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5802), [@willie-yao](https://github.com/willie-yao))
+- Fixes disabling NAT gateway for `cluster` role subnets ([#5816](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5816), [@cPu1](https://github.com/cPu1))
+
+### Other (Cleanup or Flake)
+
+- Bump CAPI to v1.10.3 ([#5712](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5712), [@mboersma](https://github.com/mboersma))
+- Bump CAPI to v1.10.4 ([#5761](https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5761), [@mboersma](https://github.com/mboersma))
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+- cel.dev/expr: v0.22.1 → v0.23.0
+- github.com/Azure/azure-sdk-for-go/sdk/azcore: [v1.18.0 → v1.18.2](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.18.0...sdk/azcore/v1.18.2)
+- github.com/Azure/azure-sdk-for-go/sdk/azidentity: [v1.10.0 → v1.11.0](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azidentity/v1.10.0...sdk/azidentity/v1.11.0)
+- github.com/Azure/azure-sdk-for-go/sdk/internal: [v1.11.1 → v1.11.2](https://github.com/Azure/azure-sdk-for-go/compare/sdk/internal/v1.11.1...sdk/internal/v1.11.2)
+- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi: [v1.2.0 → v1.3.0](https://github.com/Azure/azure-sdk-for-go/compare/sdk/resourcemanager/msi/armmsi/v1.2.0...sdk/resourcemanager/msi/armmsi/v1.3.0)
+- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: [v1.26.0 → v1.27.0](https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/compare/detectors/gcp/v1.26.0...detectors/gcp/v1.27.0)
+- github.com/cloudflare/circl: [v1.3.7 → v1.6.1](https://github.com/cloudflare/circl/compare/v1.3.7...v1.6.1)
+- github.com/cncf/xds/go: [2f00578 → ae57f3c](https://github.com/cncf/xds/compare/2f00578...ae57f3c)
+- github.com/go-jose/go-jose/v4: [v4.0.4 → v4.0.5](https://github.com/go-jose/go-jose/compare/v4.0.4...v4.0.5)
+- github.com/go-viper/mapstructure/v2: [v2.2.1 → v2.3.0](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)
+- github.com/golang-jwt/jwt/v5: [v5.2.2 → v5.3.0](https://github.com/golang-jwt/jwt/compare/v5.2.2...v5.3.0)
+- github.com/grpc-ecosystem/grpc-gateway/v2: [v2.26.3 → v2.27.1](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.26.3...v2.27.1)
+- github.com/hashicorp/go-retryablehttp: [v0.7.7 → v0.7.8](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.7...v0.7.8)
+- github.com/onsi/gomega: [v1.37.0 → v1.38.0](https://github.com/onsi/gomega/compare/v1.37.0...v1.38.0)
+- github.com/prometheus/common: [v0.64.0 → v0.65.0](https://github.com/prometheus/common/compare/v0.64.0...v0.65.0)
+- github.com/spf13/pflag: [v1.0.6 → v1.0.7](https://github.com/spf13/pflag/compare/v1.0.6...v1.0.7)
+- go.opentelemetry.io/contrib/detectors/gcp: v1.34.0 → v1.35.0
+- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.36.0 → v1.37.0
+- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.36.0 → v1.37.0
+- go.opentelemetry.io/otel/exporters/prometheus: v0.58.0 → v0.59.0
+- go.opentelemetry.io/otel/metric: v1.36.0 → v1.37.0
+- go.opentelemetry.io/otel/sdk/metric: v1.36.0 → v1.37.0
+- go.opentelemetry.io/otel/sdk: v1.36.0 → v1.37.0
+- go.opentelemetry.io/otel/trace: v1.36.0 → v1.37.0
+- go.opentelemetry.io/otel: v1.36.0 → v1.37.0
+- go.opentelemetry.io/proto/otlp: v1.6.0 → v1.7.0
+- golang.org/x/crypto: v0.39.0 → v0.41.0
+- golang.org/x/mod: v0.25.0 → v0.27.0
+- golang.org/x/net: v0.40.0 → v0.42.0
+- golang.org/x/sync: v0.15.0 → v0.16.0
+- golang.org/x/sys: v0.33.0 → v0.35.0
+- golang.org/x/telemetry: bda5523 → 8d8967a
+- golang.org/x/term: v0.32.0 → v0.34.0
+- golang.org/x/text: v0.26.0 → v0.28.0
+- golang.org/x/tools: v0.33.0 → v0.35.0
+- google.golang.org/genproto/googleapis/api: 55703ea → 513f239
+- google.golang.org/genproto/googleapis/rpc: 55703ea → 513f239
+- google.golang.org/grpc: v1.72.1 → v1.73.0
+- sigs.k8s.io/cluster-api/test: v1.10.2 → v1.10.4
+- sigs.k8s.io/cluster-api: v1.10.2 → v1.10.4
+
+### Removed
+- github.com/dgryski/go-rendezvous: [9f7001d](https://github.com/dgryski/go-rendezvous/tree/9f7001d)
+- github.com/redis/go-redis/v9: [v9.8.0](https://github.com/redis/go-redis/tree/v9.8.0)
+
+## Details
+<!-- markdown-link-check-disable-next-line -->
+https://github.com/kubernetes-sigs/cluster-api-provider-azure/compare/v1.20.0...v1.21.0

Dockerfile

@@ -18,7 +18,7 @@
 ARG ARCH
 
 # Build the manager binary
-FROM golang:1.23 AS builder
+FROM golang:1.24 AS builder
 WORKDIR /workspace
 
 # Run this with docker build --build_arg $(go env GOPROXY) to override the goproxy