update go modules #381
update go modules #381
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @ipochi. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
@ipochi: GitHub didn't allow me to request PR reviews from the following users: jveski. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.0 | ||
| golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 | ||
| google.golang.org/grpc v1.48.0 | ||
| google.golang.org/protobuf v1.28.1 |
There was a problem hiding this comment.
I realize protobug moved. Need to check that there are no additional steps needed when we switch package.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
ipochi
force-pushed
the
imran/go-mod-update
branch
from
23505fb to
db7f800
Compare
|
/test pull-apiserver-network-proxy-test |
|
/ok-to-test |
ipochi
force-pushed
the
imran/go-mod-update
branch
2 times, most recently
from
bf41994 to
1849963
Compare
k8s-ci-robot
added
size/XL
ipochi
force-pushed
the
imran/go-mod-update
branch
from
1849963 to
b1a6d99
Compare
|
/test pull-apiserver-network-proxy-make-lint |
ipochi
force-pushed
the
imran/go-mod-update
branch
from
b1a6d99 to
ef352a2
Compare
|
/test pull-apiserver-network-proxy-test |
|
/test pull-apiserver-network-proxy-make-lint |
ipochi
force-pushed
the
imran/go-mod-update
branch
2 times, most recently
from
29e7193 to
f00900c
Compare
k8s-ci-robot
added
the
needs-rebase
Updates the builder image version to 1.18.5 and updates the go modules to mitigate CVEs. The list of vulnerabilities found in the binaries are listed in [comment](kubernetes-sigs#372 (comment)). Signed-off-by: Imran Pochi <imranpochi@microsoft.com>
Signed-off-by: Imran Pochi <imranpochi@microsoft.com>
G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec) Configuring with a sensible default of 60s. Nginx uses the same default value (http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) Signed-off-by: Imran Pochi <imranpochi@microsoft.com>
ipochi
force-pushed
the
imran/go-mod-update
branch
from
900a202 to
93d1da1
Compare
k8s-ci-robot
removed
the
needs-rebase
ipochi
force-pushed
the
imran/go-mod-update
branch
from
93d1da1 to
04595aa
Compare
|
/test pull-apiserver-network-proxy-make-lint |
|
/test pull-apiserver-network-proxy-test |
|
/test pull-apiserver-network-proxy-make-lint |
|
/test pull-apiserver-network-proxy-test |
|
Finally the lint job succeeds. moved all the components to go v1.18.5. Please review :) |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheftako, ipochi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| k8s.io/apimachinery v0.24.3 | ||
| k8s.io/client-go v0.24.3 | ||
| k8s.io/component-base v0.24.3 | ||
| k8s.io/klog/v2 v2.70.1 | ||
| sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.0 | ||
| ) | ||
|
|
||
| require ( |
There was a problem hiding this comment.
this added a lot of new dependencies, many of which we explicitly don't want to depend on transitively in Kubernetes:
- github.com/go-openapi/...
- new incompatible version of github.com/imdario/mergo (xref remove use of github.com/imdario/mergo (currently use is incompatible with latest mergo version, latest mergo version introduces bugs) kubernetes/kubernetes#107499)
Also, this only updated the root go.mod file, not the client konnectivity-client/go.mod file, so now this repo has two disparate dependency trees. If the client go.mod file was updated the same way this was, we would be unable to pull new versions into kubernetes.
How were the versions of these updated modules selected?
There was a problem hiding this comment.
The two that you mentioned are both transitive dependencies through client-go. I don't know how that specific client-go version was selected, but since this PR sat open for a long time I'm guessing it was the latest version when this PR was opened.
We haven't been keeping the konnectivity-client go.mod in sync with this since we're tracking the module versions from the oldest version of k8s we support in the client. We should maybe consider adding a presubmit to ensure that konnectivity-client doesn't take any dependencies on kubernetes staging repos, but hopefully our PR review process would catch that.
https://github.com/kubernetes/client-go/blob/v0.24.3/go.mod#L26
There was a problem hiding this comment.
oops, I misread the go-openapi additions, these are the ones we want to avoid:
"github.com/go-openapi/analysis": "use k8s.io/kube-openapi/pkg/validation/spec",
"github.com/go-openapi/spec": "use k8s.io/kube-openapi/pkg/validation/spec instead",
"github.com/go-openapi/strfmt": "use k8s.io/kube-openapi/pkg/validation/strfmt instead",
"github.com/go-openapi/validate": "use k8s.io/kube-openapi/pkg/validation/validate instead",
the github.com/imdario/mergo one is a known dependency but the version selected here is known to be problematic (see the linked issue above)
| @@ -350,7 +354,7 @@ func (p *Proxy) runAdminServer(o *options.ProxyRunOptions, server *server.ProxyS | |||
| } | |||
| } | |||
| adminServer := &http.Server{ | |||
| Addr: net.JoinHostPort(o.AdminBindAddress, strconv.Itoa(o.AdminPort)), | |||
| Addr: fmt.Sprintf("127.0.0.1:%d", o.AdminPort), | |||
There was a problem hiding this comment.
Why was this changed? Looks like maybe a bad rebase?
There was a problem hiding this comment.
+1. However this was merged Sept 2, over 3 months ago.
See discussion at kubernetes-sigs#381 What I did: - match requirements with k/k release-1.24 branch - for k8s.io/api and friends, take latest 1.24 tag (v0.24.8) - go mod tidy
See discussion at kubernetes-sigs#381 What I did: - match requirements with k/k release-1.24 branch - for k8s.io/api and friends, take latest 1.24 tag (v0.24.8) - delete indirect require section (to generate from scratch) - go mod tidy
Updates the builder image version to 1.18.5 and updates the go modules
to mitigate CVEs. The list of vulnerabilities found in the binaries are
listed in comment.
Signed-off-by: Imran Pochi imranpochi@microsoft.com