Incompatible with controller-runtime >= v0.23.0 due to NewWebhookManagedBy API change

[rbever-nvidia]

Summary

When using spire-controller-manager as a dependency (for API types), builds fail if the consuming project uses sigs.k8s.io/controller-runtime >= v0.23.0.

This is due to a breaking change in controller-runtime where the NewWebhookManagedBy signature was updated.

---

Context

We are importing spire-controller-manager for its API types (api/v1alpha1), not running the controller itself.

Our project also depends on newer versions of controller-runtime for other controllers, which upgrades the version across the dependency graph.

---

Error

not enough arguments in call to ctrl.NewWebhookManagedBy
have (controllerruntime.Manager)
want (manager.Manager, T)

Example locations:

• api/v1alpha1/clusterfederatedtrustdomain_webhook.go
• api/v1alpha1/clusterspiffeid_webhook.go

---

Root Cause

In controller-runtime v0.23.0, the webhook builder API changed:

ctrl.NewWebhookManagedBy(mgr)

→ now requires:

ctrl.NewWebhookManagedBy(mgr, obj)

spire-controller-manager (including v0.6.4) still uses the old signature, making it incompatible with newer versions.

---

Related

A Dependabot PR attempting to update dependencies also appears to surface this issue:
#644

---

Impact

This prevents use of spire-controller-manager as a dependency in projects that require newer controller-runtime versions, even when only importing API types.

---

Suggested Options

• Update to support controller-runtime >= v0.23.0
• Separate API types into a standalone module to avoid pulling in webhook/controller code

[alecholmez]

Hi @rbever-nvidia I submitted this PR for the upgrade:
#670