migrate CRD generation to controller-gen and automate Helm RBAC sync

[kahirokunn]

Changes

• Migrate hand-maintained CRD YAMLs to controller-gen auto-generation from Go types
• Generate CRD YAMLs via controller-gen into config/crd/bases/
• Add hack/sync-helm-crds.sh to auto-sync Helm chart CRDs from controller-gen output
  (split out from operator.yaml)
• Add hack/sync-helm-rbac.sh to auto-sync Helm chart RBAC ClusterRoles from
  config/rbac/role.yaml into separate per-operator files
  (rbac/serving-operator-role.yaml, rbac/eventing-operator-role.yaml)
• Integrate controller-gen execution, Helm CRD sync, and Helm RBAC sync into
  hack/update-codegen.sh and hack/verify-codegen.sh

Why

The old hand-maintained CRDs had diverged from Go type definitions:

• Istio TLS fields were defined in camelCase (credentialName) but Go struct JSON tags use
  snake_case (credential_name); values were silently ignored on deserialization
• workloads[].version, workloads[].volumeMounts existed in CRD but had no backing Go
  struct fields. Setting them had no effect.
• tls.mode was string in CRD but int32 in Go

Similarly, the Helm chart's operator.yaml contained hand-maintained ClusterRole definitions
that could diverge from config/rbac/role.yaml.

Generating from Go types with controller-gen and syncing from a single source of truth
eliminates these inconsistencies and prevents future drift.

Release Note

Migrate CRD generation from hand-maintained YAML to controller-gen, and automate Helm chart CRD/RBAC sync from generated sources.
spec.ingress.* sub-fields (istio, kourier, contour, gateway-api) are now optional in the CRD schema, a backward-compatible validation change.

[knative-prow]

@kahirokunn: 0 warnings.

Details

In response to this:

Fixes #

Proposed Changes

Release Note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.58%. Comparing base (043a222) to head (956e019).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/reconciler/knativeserving/ingress/istio.go	95.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2269      +/-   ##
==========================================
+ Coverage   63.97%   64.58%   +0.60%     
==========================================
  Files          51       51              
  Lines        1960     1999      +39     
==========================================
+ Hits         1254     1291      +37     
- Misses        605      606       +1     
- Partials      101      102       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[houshengbo]

Thanks for this PR — the goal of migrating to controller-gen and automating Helm sync is valuable. However, the generated CRD schema introduces backward-incompatible changes that will break existing user CRs on upgrade. The CRD schema must not change field names, remove existing fields, or change field types.

Specific blockers:

1. Istio TLS field renames (12 fields): The Istio proto Go types use snake_case JSON tags (json:"credential_name"), so controller-gen generates snake_case field names. The existing CRD uses camelCase (credentialName, httpsRedirect, etc.). This rename breaks any existing CR that uses these fields. Additionally, tls.mode changes from string to int32.

2. Ghost fields removed: workloads[].version and workloads[].volumeMounts exist in the current CRD but have no backing Go struct fields. controller-gen drops them. Existing CRs that set these fields will fail validation.

Suggested approach: Create operator-local wrapper types for the Istio Server/Port/ServerTLSSettings structs with camelCase JSON tags matching the existing schema, and add the ghost fields to WorkloadOverride with deprecation comments. This preserves backward compatibility while achieving the controller-gen automation goal.

See inline comments for details.

[houshengbo]

A few additional non-blocking suggestions below.

[houshengbo]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: houshengbo, kahirokunn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [houshengbo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment