Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot downgraded github.com/cert-manager/cert-manager v1.8.0 => v0.7.2 as a result of upgrading k8s.io/component-base #71

Closed
wallrj opened this issue Jun 8, 2022 · 4 comments · Fixed by #72
Closed

Dependabot downgraded github.com/cert-manager/cert-manager v1.8.0 => v0.7.2 as a result of upgrading k8s.io/component-base #71

wallrj opened this issue Jun 8, 2022 · 4 comments · Fixed by #72

Comments

@wallrj
Copy link
Member

wallrj commented Jun 8, 2022

We enabled dependabot and now it is creating PRs with package upgrades, but strangely, it seems also to be downgrading cert-manager to v0.7.2 E.g.

I get the same result when I manually update that dependency:

$ go version
go version go1.18.3 linux/amd64

$ go get -u k8s.io/component-base
go: downgraded github.com/cert-manager/cert-manager v1.8.0 => v0.7.2
go: upgraded github.com/prometheus/client_golang v1.11.0 => v1.12.1
go: upgraded github.com/prometheus/common v0.28.0 => v0.32.1
go: upgraded github.com/prometheus/procfs v0.6.0 => v0.7.3
go: upgraded golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 => v0.0.0-20220214200702-86341886e292
go: upgraded golang.org/x/mod v0.5.0 => v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
go: upgraded golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e => v0.0.0-20220209214540-3681064d5158
go: upgraded golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac => v0.0.0-20220210224613-90d013bbcef8
go: upgraded golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff => v0.1.10-0.20220218145154-897bd77cd717
go: upgraded k8s.io/api v0.23.6 => v0.24.1
go: upgraded k8s.io/apimachinery v0.23.6 => v0.24.1
go: upgraded k8s.io/client-go v0.23.6 => v0.24.1
go: upgraded k8s.io/component-base v0.23.6 => v0.24.1
go: upgraded k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 => v0.0.0-20220328201542-3ee0da9b0b42
go: upgraded sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 => v0.0.0-20211208200746-9f7c6b3444d2


diff --git a/go.mod b/go.mod
index ce43443..b0d5a26 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/cert-manager/approver-policy
 go 1.18
 
 require (
-       github.com/cert-manager/cert-manager v1.8.0
+       github.com/cert-manager/cert-manager v0.7.2
        github.com/go-logr/logr v1.2.3
        github.com/onsi/ginkgo v1.16.5
        github.com/onsi/gomega v1.19.0
@@ -11,13 +11,13 @@ require (
        github.com/spf13/cobra v1.4.0
        github.com/spf13/pflag v1.0.5
        github.com/stretchr/testify v1.7.1
-       k8s.io/api v0.23.6
+       k8s.io/api v0.24.1
        k8s.io/apiextensions-apiserver v0.23.6
-       k8s.io/apimachinery v0.23.6
+       k8s.io/apimachinery v0.24.1
        k8s.io/cli-runtime v0.23.6
-       k8s.io/client-go v0.23.6
+       k8s.io/client-go v0.24.1
        k8s.io/code-generator v0.23.6
-       k8s.io/component-base v0.23.6
+       k8s.io/component-base v0.24.1
        k8s.io/klog/v2 v2.60.1
        k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
        sigs.k8s.io/controller-runtime v0.11.2
@jakexks
Copy link
Member

jakexks commented Jun 8, 2022

Hmm, 0.7.2 is the last version that exists before we started using go modules. There is possibly some transitive dependency clash.

We really need to split the cert-manager API from the controllers as importing cert-manager in projects that also use k8s.io modules causes these weird issues.

@jsoref
Copy link
Contributor

jsoref commented Jun 8, 2022

Looks like dependabot/dependabot-core#4536

@wallrj
Copy link
Member Author

wallrj commented Jun 9, 2022
edited
Loading

It seems to downgrade cert-manager as a side-effect of upgrading golang.org/x/sys (for example),
and even with Go 1.17, but not with Go 1.16.

$ git reset --hard origin/main 
HEAD is now at 06dd31d Merge pull request #54 from wallrj/use-dependabot

# Go 1.18 downgrades cert-manager

$ go1.18.3 get -u golang.org/x/sys
go: downgraded github.com/cert-manager/cert-manager v1.8.0 => v0.7.2
go: upgraded golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e => v0.0.0-20220608164250-635b8c9b7f68

$ git reset --hard origin/main
...

# Go 1.17 downgrades cert-manager

$ go1.17.2 get -u golang.org/x/sys
go get: downgraded github.com/cert-manager/cert-manager v1.8.0 => v0.7.2
go get: upgraded golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e => v0.0.0-20220608164250-635b8c9b7f68

$ git reset --hard origin/main
...

# Go 1.16 does not

$ go1.16.1 get -u golang.org/x/sys
go get: upgraded github.com/Microsoft/go-winio v0.5.0 => v0.5.1
go get: upgraded github.com/spf13/viper v1.8.1 => v1.10.0
go get: upgraded golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e => v0.0.0-20220608164250-635b8c9b7f68

@wallrj wallrj mentioned this issue Jun 10, 2022
Closed
@wallrj wallrj linked a pull request Jun 10, 2022 that will close this issue
Creates a go.mod in hack/tools #72
Merged
@wallrj
Copy link
Member Author

wallrj commented Jun 25, 2022

Creating a separate hack/tools/go.mod has fixed the issue.

@wallrj wallrj closed this as completed Jun 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Creates a go.mod in hack/tools JoshVanL/approver-policy
Install the build tools using go install
3 participants
@jakexks @wallrj @jsoref