NO-JIRA: Sync main with latest upstream (release-0.14)

[stephenfin]

Sync main with the latest upstream release branch, release-0.14. This is mostly non-controversial except for a CARRY patch needed to ensure we vendor sigs.k8s.io/cluster-api/api/ipam/v1beta1 (since that is needed for client generation).

❯ git diff upstream/release-0.14 -- \
    ':!vendor' ':!hack/tools/vendor' ':!openshift' \
    ':!DOWNSTREAM_OWNERS' ':!DOWNSTREAM_OWNERS_ALIASES' \
    ':!.ci-operator.yaml' ':!.snyk' ':!Dockerfile.rhel'

diff --git a/.gitignore b/.gitignore
index fbf39d817..5aa76d135 100644
--- a/.gitignore
+++ b/.gitignore
@@ -187,5 +187,6 @@ docs/book/book/
 # Development container files (https://containers.dev/)
 .devcontainer
 
-# CAPO doesn't use vendorings
-vendor/
+# Don't ignore anything in vendor directories
+!/vendor/**
+!/hack/tools/vendor/**
diff --git a/Makefile b/Makefile
index fa28dafc3..4dce9e83d 100644
--- a/Makefile
+++ b/Makefile
@@ -299,6 +299,18 @@ modules: ## Runs go mod to ensure proper vendoring.
 	go mod tidy
 	cd $(TOOLS_DIR); go mod tidy
 
+.PHONY: merge-bot
+merge-bot: full-vendoring generate generate-openshift ## Runs targets that help merge-bot to rebase downstream CAPO.
+
+.PHONY: full-vendoring
+full-vendoring: ## Runs commands that complete vendoring tasks for downstream CAPO.
+	go mod tidy && go mod vendor
+	cd $(TOOLS_DIR); go mod tidy; go mod vendor
+
+.PHONY: generate-openshift
+generate-openshift:
+	$(MAKE) -C $(REPO_ROOT)/openshift generate
+
 .PHONY: generate
 generate: templates generate-controller-gen generate-codegen generate-go generate-manifests generate-api-docs ## Generate all generated code
 
@@ -688,6 +700,17 @@ verify-security: ## Verify code and images for vulnerabilities
 		exit 1; \
 	fi
 
+.PHONY: vendor verify-vendoring
+vendor:
+	go mod vendor
+	cd $(TOOLS_DIR); go mod vendor
+
+verify-vendoring: vendor
+	@if !(git diff --quiet HEAD); then \
+		git diff; \
+		echo "vendored files are out of date, run go mod vendor"; exit 1; \
+	fi
+
 .PHONY: compile-e2e
 compile-e2e: ## Test e2e compilation
 	go test -c -o /dev/null -tags=e2e ./test/e2e/suites/conformance
diff --git a/tools.go b/tools.go
new file mode 100644
index 000000000..4edeb461e
--- /dev/null
+++ b/tools.go
@@ -0,0 +1,26 @@
+//go:build tools
+// +build tools
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	// Required for OpenAPI code generation - the vendored cluster-api only has
+	// ipam/v1beta2, but we need v1beta1 for compatibility with older CAPI versions
+	_ "sigs.k8s.io/cluster-api/api/ipam/v1beta1"
+)

Prior art

• OSASINFRA-3976: Sync main with latest upstream (release-0.13) #387

[openshift-ci-robot]

@stephenfin: This pull request explicitly references no jira issue.

Details

In response to this:

Sync main with the latest upstream release branch, release-0.14. This is mostly non-controversial except for a CARRY patch needed to ensure we vendor sigs.k8s.io/cluster-api/api/ipam/v1beta1 (since that is needed for client generation).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/assign @gryf
/assign @mandre
/assign @eshulman2

[mandre]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mandre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [mandre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stephenfin]

/verified by CI

[stephenfin]

/override ci/prow/e2e-hypershift

[openshift-ci-robot]

@stephenfin: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@stephenfin: Overrode contexts on behalf of stephenfin: ci/prow/e2e-hypershift

Details

In response to this:

/override ci/prow/e2e-hypershift

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@stephenfin: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[stephenfin]

For future me, this ended up being rebased onto commit 430841d