Fix CVEs by updating controller-runtime (#2183)

* Bump version of controller runtime

* Use SubResourceUpdateOption

* Fix test loggr

* Fix ProbeHandler

* Set runtime to 0.14.6

* Add Changelog

* Fix up a few more breaking change issues

.changelog/2183.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Fix Prometheus CVEs by bumping controller-runtime.
+```

control-plane/api/common/configentry_webhook_test.go

@@ -9,7 +9,7 @@ import (
 	"errors"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	capi "github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/require"
 	"gomodules.xyz/jsonpatch/v2"
@@ -115,7 +115,7 @@ func TestValidateConfigEntry(t *testing.T) {
 					},
 				},
 			},
-				logrtest.NewTestLogger(t),
+				logrtest.New(t),
 				lister,
 				c.newResource,
 				ConsulMeta{

control-plane/api/v1alpha1/exportedservices_webhook_test.go

@@ -8,7 +8,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/api/common"
 	"github.com/stretchr/testify/require"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -180,7 +180,7 @@ func TestValidateExportedServices(t *testing.T) {
 
 			validator := &ExportedServicesWebhook{
 				Client:     client,
-				Logger:     logrtest.NewTestLogger(t),
+				Logger:     logrtest.New(t),
 				decoder:    decoder,
 				ConsulMeta: c.consulMeta,
 			}

control-plane/api/v1alpha1/mesh_webhook_test.go

@@ -8,7 +8,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/api/common"
 	"github.com/stretchr/testify/require"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -97,7 +97,7 @@ func TestValidateMesh(t *testing.T) {
 
 			validator := &MeshWebhook{
 				Client:  client,
-				Logger:  logrtest.NewTestLogger(t),
+				Logger:  logrtest.New(t),
 				decoder: decoder,
 			}
 			response := validator.Handle(ctx, admission.Request{

control-plane/api/v1alpha1/peeringacceptor_webhook_test.go

@@ -8,7 +8,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/stretchr/testify/require"
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -138,7 +138,7 @@ func TestValidatePeeringAcceptor(t *testing.T) {
 
 			validator := &PeeringAcceptorWebhook{
 				Client:  client,
-				Logger:  logrtest.NewTestLogger(t),
+				Logger:  logrtest.New(t),
 				decoder: decoder,
 			}
 			response := validator.Handle(ctx, admission.Request{

control-plane/api/v1alpha1/peeringdialer_webhook_test.go

@@ -8,7 +8,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/stretchr/testify/require"
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -138,7 +138,7 @@ func TestValidatePeeringDialer(t *testing.T) {
 
 			validator := &PeeringDialerWebhook{
 				Client:  client,
-				Logger:  logrtest.NewTestLogger(t),
+				Logger:  logrtest.New(t),
 				decoder: decoder,
 			}
 			response := validator.Handle(ctx, admission.Request{

control-plane/api/v1alpha1/proxydefaults_webhook_test.go

@@ -8,7 +8,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/api/common"
 	"github.com/stretchr/testify/require"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -122,7 +122,7 @@ func TestValidateProxyDefault(t *testing.T) {
 
 			validator := &ProxyDefaultsWebhook{
 				Client:  client,
-				Logger:  logrtest.NewTestLogger(t),
+				Logger:  logrtest.New(t),
 				decoder: decoder,
 			}
 			response := validator.Handle(ctx, admission.Request{

control-plane/api/v1alpha1/serviceintentions_webhook_test.go

@@ -9,7 +9,7 @@ import (
 	"fmt"
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/api/common"
 	"github.com/stretchr/testify/require"
 	"gomodules.xyz/jsonpatch/v2"
@@ -253,7 +253,7 @@ func TestHandle_ServiceIntentions_Create(t *testing.T) {
 
 			validator := &ServiceIntentionsWebhook{
 				Client:  client,
-				Logger:  logrtest.NewTestLogger(t),
+				Logger:  logrtest.New(t),
 				decoder: decoder,
 				ConsulMeta: common.ConsulMeta{
 					NamespacesEnabled: true,
@@ -442,7 +442,7 @@ func TestHandle_ServiceIntentions_Update(t *testing.T) {
 
 			validator := &ServiceIntentionsWebhook{
 				Client:  client,
-				Logger:  logrtest.NewTestLogger(t),
+				Logger:  logrtest.New(t),
 				decoder: decoder,
 				ConsulMeta: common.ConsulMeta{
 					NamespacesEnabled: true,
@@ -602,7 +602,7 @@ func TestHandle_ServiceIntentions_Patches(t *testing.T) {
 
 				validator := &ServiceIntentionsWebhook{
 					Client:  client,
-					Logger:  logrtest.NewTestLogger(t),
+					Logger:  logrtest.New(t),
 					decoder: decoder,
 					ConsulMeta: common.ConsulMeta{
 						NamespacesEnabled: namespacesEnabled,

control-plane/connect-inject/controllers/endpoints/consul_client_health_checks_test.go

@@ -6,7 +6,7 @@ package endpoints
 import (
 	"testing"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
 	"github.com/hashicorp/consul-server-connection-manager/discovery"
@@ -241,7 +241,7 @@ func TestUpdateHealthCheckOnConsulClient(t *testing.T) {
 
 			ctrl := Controller{
 				ConsulClientConfig: testClient.Cfg,
-				Log:                logrtest.NewTestLogger(t),
+				Log:                logrtest.New(t),
 			}
 
 			err := ctrl.updateHealthCheckOnConsulClient(testClient.Cfg.APIClientConfig, pod, endpoints, c.updateToStatus)

control-plane/connect-inject/controllers/endpoints/endpoints_controller_test.go

@@ -10,7 +10,7 @@ import (
 	"testing"
 
 	mapset "github.com/deckarep/golang-set"
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
@@ -603,7 +603,7 @@ func TestProcessUpstreams(t *testing.T) {
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			ep := &Controller{
-				Log:                    logrtest.NewTestLogger(t),
+				Log:                    logrtest.New(t),
 				AllowK8sNamespacesSet:  mapset.NewSetWith("*"),
 				DenyK8sNamespacesSet:   mapset.NewSetWith(),
 				EnableConsulNamespaces: tt.consulNamespacesEnabled,
@@ -902,7 +902,7 @@ func TestReconcileCreateEndpoint_MultiportService(t *testing.T) {
 			// Create the endpoints controller
 			ep := &Controller{
 				Client:                fakeClient,
-				Log:                   logrtest.NewTestLogger(t),
+				Log:                   logrtest.New(t),
 				ConsulClientConfig:    testClient.Cfg,
 				ConsulServerConnMgr:   testClient.Watcher,
 				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -2057,7 +2057,7 @@ func TestReconcileCreateEndpoint(t *testing.T) {
 			// Create the endpoints controller.
 			ep := &Controller{
 				Client:                fakeClient,
-				Log:                   logrtest.NewTestLogger(t),
+				Log:                   logrtest.New(t),
 				ConsulClientConfig:    testClient.Cfg,
 				ConsulServerConnMgr:   testClient.Watcher,
 				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -3377,7 +3377,7 @@ func TestReconcileUpdateEndpoint(t *testing.T) {
 			// Create the endpoints controller.
 			ep := &Controller{
 				Client:                fakeClient,
-				Log:                   logrtest.NewTestLogger(t),
+				Log:                   logrtest.New(t),
 				ConsulClientConfig:    testClient.Cfg,
 				ConsulServerConnMgr:   testClient.Watcher,
 				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -3627,7 +3627,7 @@ func TestReconcileUpdateEndpoint_LegacyService(t *testing.T) {
 			// Create the endpoints controller.
 			ep := &Controller{
 				Client:                fakeClient,
-				Log:                   logrtest.NewTestLogger(t),
+				Log:                   logrtest.New(t),
 				ConsulClientConfig:    testClient.Cfg,
 				ConsulServerConnMgr:   testClient.Watcher,
 				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -4001,7 +4001,7 @@ func TestReconcileDeleteEndpoint(t *testing.T) {
 			// Create the endpoints controller
 			ep := &Controller{
 				Client:                fakeClient,
-				Log:                   logrtest.NewTestLogger(t),
+				Log:                   logrtest.New(t),
 				ConsulClientConfig:    testClient.Cfg,
 				ConsulServerConnMgr:   testClient.Watcher,
 				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -4146,7 +4146,7 @@ func TestReconcileIgnoresServiceIgnoreLabel(t *testing.T) {
 			// Create the endpoints controller.
 			ep := &Controller{
 				Client:                fakeClient,
-				Log:                   logrtest.NewTestLogger(t),
+				Log:                   logrtest.New(t),
 				ConsulClientConfig:    testClient.Cfg,
 				ConsulServerConnMgr:   testClient.Watcher,
 				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -4232,7 +4232,7 @@ func TestReconcile_podSpecifiesExplicitService(t *testing.T) {
 	// Create the endpoints controller.
 	ep := &Controller{
 		Client:                fakeClient,
-		Log:                   logrtest.NewTestLogger(t),
+		Log:                   logrtest.New(t),
 		ConsulClientConfig:    testClient.Cfg,
 		ConsulServerConnMgr:   testClient.Watcher,
 		AllowK8sNamespacesSet: mapset.NewSetWith("*"),
@@ -5711,7 +5711,7 @@ func TestCreateServiceRegistrations_withTransparentProxy(t *testing.T) {
 				Client:                 fakeClient,
 				EnableTransparentProxy: c.tproxyGlobalEnabled,
 				TProxyOverwriteProbes:  c.overwriteProbes,
-				Log:                    logrtest.NewTestLogger(t),
+				Log:                    logrtest.New(t),
 			}
 
 			serviceRegistration, proxyServiceRegistration, err := epCtrl.createServiceRegistrations(*pod, *endpoints, api.HealthPassing)

control-plane/connect-inject/controllers/peering/peering_acceptor_controller_test.go

@@ -10,7 +10,7 @@ import (
 	"testing"
 	"time"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1"
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
@@ -520,7 +520,7 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) {
 				Client:                   fakeClient,
 				ExposeServersServiceName: "test-expose-servers",
 				ReleaseNamespace:         "default",
-				Log:                      logrtest.NewTestLogger(t),
+				Log:                      logrtest.New(t),
 				ConsulClientConfig:       testClient.Cfg,
 				ConsulServerConnMgr:      testClient.Watcher,
 				Scheme:                   s,
@@ -638,7 +638,7 @@ func TestReconcile_DeletePeeringAcceptor(t *testing.T) {
 	// Create the peering acceptor controller.
 	controller := &AcceptorController{
 		Client:              fakeClient,
-		Log:                 logrtest.NewTestLogger(t),
+		Log:                 logrtest.New(t),
 		ConsulClientConfig:  testClient.Cfg,
 		ConsulServerConnMgr: testClient.Watcher,
 		Scheme:              s,
@@ -782,7 +782,7 @@ func TestReconcile_VersionAnnotation(t *testing.T) {
 			// Create the peering acceptor controller
 			controller := &AcceptorController{
 				Client:              fakeClient,
-				Log:                 logrtest.NewTestLogger(t),
+				Log:                 logrtest.New(t),
 				ConsulClientConfig:  testClient.Cfg,
 				ConsulServerConnMgr: testClient.Watcher,
 				Scheme:              s,
@@ -1086,7 +1086,7 @@ func TestAcceptorUpdateStatus(t *testing.T) {
 			// Create the peering acceptor controller.
 			pac := &AcceptorController{
 				Client: fakeClient,
-				Log:    logrtest.NewTestLogger(t),
+				Log:    logrtest.New(t),
 				Scheme: s,
 			}
 
@@ -1198,7 +1198,7 @@ func TestAcceptorUpdateStatusError(t *testing.T) {
 			// Create the peering acceptor controller.
 			controller := &AcceptorController{
 				Client: fakeClient,
-				Log:    logrtest.NewTestLogger(t),
+				Log:    logrtest.New(t),
 				Scheme: s,
 			}
 
@@ -1481,7 +1481,7 @@ func TestAcceptor_RequestsForPeeringTokens(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().WithScheme(s).WithRuntimeObjects(tt.secret, &tt.acceptors).Build()
 			controller := AcceptorController{
 				Client: fakeClient,
-				Log:    logrtest.NewTestLogger(t),
+				Log:    logrtest.New(t),
 			}
 			result := controller.requestsForPeeringTokens(tt.secret)
 

control-plane/connect-inject/controllers/peering/peering_dialer_controller_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 	"time"
 
-	logrtest "github.com/go-logr/logr/testing"
+	logrtest "github.com/go-logr/logr/testr"
 	"github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1"
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 	"github.com/hashicorp/consul-k8s/control-plane/consul"
@@ -321,7 +321,7 @@ func TestReconcile_CreateUpdatePeeringDialer(t *testing.T) {
 			// Create the peering dialer controller
 			controller := &PeeringDialerController{
 				Client:              fakeClient,
-				Log:                 logrtest.NewTestLogger(t),
+				Log:                 logrtest.New(t),
 				ConsulClientConfig:  testClient.Cfg,
 				ConsulServerConnMgr: testClient.Watcher,
 				Scheme:              s,
@@ -531,7 +531,7 @@ func TestReconcile_VersionAnnotationPeeringDialer(t *testing.T) {
 			// Create the peering dialer controller
 			controller := &PeeringDialerController{
 				Client:              fakeClient,
-				Log:                 logrtest.NewTestLogger(t),
+				Log:                 logrtest.New(t),
 				ConsulClientConfig:  consulConfig,
 				ConsulServerConnMgr: watcher,
 				Scheme:              s,
@@ -755,7 +755,7 @@ func TestReconcileDeletePeeringDialer(t *testing.T) {
 	// Create the peering dialer controller.
 	pdc := &PeeringDialerController{
 		Client:              fakeClient,
-		Log:                 logrtest.NewTestLogger(t),
+		Log:                 logrtest.New(t),
 		ConsulClientConfig:  testClient.Cfg,
 		ConsulServerConnMgr: testClient.Watcher,
 		Scheme:              s,
@@ -887,7 +887,7 @@ func TestDialerUpdateStatus(t *testing.T) {
 			// Create the peering dialer controller.
 			controller := &PeeringDialerController{
 				Client: fakeClient,
-				Log:    logrtest.NewTestLogger(t),
+				Log:    logrtest.New(t),
 				Scheme: s,
 			}
 
@@ -999,7 +999,7 @@ func TestDialerUpdateStatusError(t *testing.T) {
 			// Create the peering dialer controller.
 			controller := &PeeringDialerController{
 				Client: fakeClient,
-				Log:    logrtest.NewTestLogger(t),
+				Log:    logrtest.New(t),
 				Scheme: s,
 			}
 
@@ -1282,7 +1282,7 @@ func TestDialer_RequestsForPeeringTokens(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().WithScheme(s).WithRuntimeObjects(tt.secret, &tt.dialers).Build()
 			controller := PeeringDialerController{
 				Client: fakeClient,
-				Log:    logrtest.NewTestLogger(t),
+				Log:    logrtest.New(t),
 			}
 			result := controller.requestsForPeeringTokens(tt.secret)