From 0ec8a68329a077516ce46f5c5d5bcce73a613258 Mon Sep 17 00:00:00 2001 From: Michael Wilkerson Date: Thu, 2 Mar 2023 09:38:05 -0800 Subject: [PATCH 1/3] updated go version to fix cve https://go.dev/issue/58001 --- .changelog/1975.txt | 3 +++ .circleci/config.yml | 8 ++++---- .go-version | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 .changelog/1975.txt diff --git a/.changelog/1975.txt b/.changelog/1975.txt new file mode 100644 index 0000000000..65024aa6f9 --- /dev/null +++ b/.changelog/1975.txt @@ -0,0 +1,3 @@ +```release-note:security +upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. +``` \ No newline at end of file diff --git a/.circleci/config.yml b/.circleci/config.yml index 05f6a209e9..11517a6c43 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,7 +6,7 @@ orbs: executors: go: docker: - - image: docker.mirror.hashicorp.services/cimg/go:1.18.3 + - image: docker.mirror.hashicorp.services/cimg/go:1.19.6 environment: TEST_RESULTS: /tmp/test-results # path to where test results are saved @@ -34,9 +34,9 @@ commands: - run: name: Install go, gotestsum, kind, kubectl, and helm command: | - wget https://golang.org/dl/go1.18.3.linux-amd64.tar.gz - sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.18.3.linux-amd64.tar.gz - rm go1.18.3.linux-amd64.tar.gz + wget https://golang.org/dl/go1.19.6.linux-amd64.tar.gz + sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.19.6.linux-amd64.tar.gz + rm go1.19.6.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> $BASH_ENV wget https://github.com/gotestyourself/gotestsum/releases/download/v1.6.4/gotestsum_1.6.4_linux_amd64.tar.gz diff --git a/.go-version b/.go-version index b9fb27ab4f..2a4feaf54c 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.18.3 +1.19.6 From 3b528e94468401ab67e8009b6b62c732c469a4eb Mon Sep 17 00:00:00 2001 From: Michael Wilkerson Date: Thu, 2 Mar 2023 09:53:35 -0800 Subject: [PATCH 2/3] updated go version to fix cve https://go.dev/issue/58001 - updated go version to use 1.19 everywhere --- .changelog/1975.txt | 8 ++++++++ acceptance/go.mod | 2 +- charts/consul/test/docker/Test.dockerfile | 2 +- charts/go.mod | 2 +- cli/go.mod | 2 +- control-plane/cni/go.mod | 2 +- control-plane/go.mod | 2 +- hack/aws-acceptance-test-cleanup/go.mod | 2 +- hack/copy-crds-to-chart/go.mod | 2 +- hack/helm-reference-gen/go.mod | 2 +- 10 files changed, 17 insertions(+), 9 deletions(-) diff --git a/.changelog/1975.txt b/.changelog/1975.txt index 65024aa6f9..ba26b1ab1e 100644 --- a/.changelog/1975.txt +++ b/.changelog/1975.txt @@ -1,3 +1,11 @@ ```release-note:security upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. +``` + +```release-note:improvement +cli: update minimum go version for project to 1.19. +``` + +```release-note:improvement +control-plane: update minimum go version for project to 1.19. ``` \ No newline at end of file diff --git a/acceptance/go.mod b/acceptance/go.mod index b7b11bc27c..5c8893cac5 100644 --- a/acceptance/go.mod +++ b/acceptance/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-k8s/acceptance -go 1.18 +go 1.19 require ( github.com/gruntwork-io/terratest v0.31.2 diff --git a/charts/consul/test/docker/Test.dockerfile b/charts/consul/test/docker/Test.dockerfile index d60e8b0a24..c9351259c2 100644 --- a/charts/consul/test/docker/Test.dockerfile +++ b/charts/consul/test/docker/Test.dockerfile @@ -6,7 +6,7 @@ # a script to configure kubectl, potentially install Helm, and run the tests # manually. This image only has the dependencies pre-installed. -FROM cimg/go:1.18 +FROM cimg/go:1.19 # change the user to root so we can install stuff USER root diff --git a/charts/go.mod b/charts/go.mod index 9c001ddad8..cdb23e46b0 100644 --- a/charts/go.mod +++ b/charts/go.mod @@ -1,3 +1,3 @@ module github.com/hashicorp/consul-k8s/charts -go 1.18 +go 1.19 diff --git a/cli/go.mod b/cli/go.mod index cd95397863..3151328406 100644 --- a/cli/go.mod +++ b/cli/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-k8s/cli -go 1.18 +go 1.19 require ( github.com/bgentry/speakeasy v0.1.0 diff --git a/control-plane/cni/go.mod b/control-plane/cni/go.mod index 660b720d43..7b97f5d07f 100644 --- a/control-plane/cni/go.mod +++ b/control-plane/cni/go.mod @@ -52,4 +52,4 @@ require ( replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220531155537-364758ef2f50 -go 1.18 +go 1.19 diff --git a/control-plane/go.mod b/control-plane/go.mod index 8dd66de28d..e72be74610 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -129,4 +129,4 @@ require ( sigs.k8s.io/yaml v1.2.0 // indirect ) -go 1.18 +go 1.19 diff --git a/hack/aws-acceptance-test-cleanup/go.mod b/hack/aws-acceptance-test-cleanup/go.mod index a266c1a7e8..13e8f48909 100644 --- a/hack/aws-acceptance-test-cleanup/go.mod +++ b/hack/aws-acceptance-test-cleanup/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-helm/hack/aws-acceptance-test-cleanup -go 1.18 +go 1.19 require ( github.com/aws/aws-sdk-go v1.38.63 diff --git a/hack/copy-crds-to-chart/go.mod b/hack/copy-crds-to-chart/go.mod index 5456f28ce2..73b1f10306 100644 --- a/hack/copy-crds-to-chart/go.mod +++ b/hack/copy-crds-to-chart/go.mod @@ -1,3 +1,3 @@ module github.com/hashicorp/consul-k8s/hack/copy-crds-to-chart -go 1.18 +go 1.19 diff --git a/hack/helm-reference-gen/go.mod b/hack/helm-reference-gen/go.mod index 8595831de1..7e41675f18 100644 --- a/hack/helm-reference-gen/go.mod +++ b/hack/helm-reference-gen/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-k8s/hack/helm-reference-gen -go 1.18 +go 1.19 require ( github.com/stretchr/testify v1.6.1 From 16d266ad29b529db8adc8f7ae712d3014b453ccc Mon Sep 17 00:00:00 2001 From: Michael Wilkerson Date: Thu, 2 Mar 2023 12:08:41 -0800 Subject: [PATCH 3/3] update to remove deprecated ioutil --- .../subcommand/install-cni/cniconfig_test.go | 14 +++++++------- .../subcommand/install-cni/command_test.go | 7 +++---- control-plane/subcommand/install-cni/kubeconfig.go | 3 +-- .../subcommand/install-cni/kubeconfig_test.go | 4 ++-- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/control-plane/subcommand/install-cni/cniconfig_test.go b/control-plane/subcommand/install-cni/cniconfig_test.go index 640b9d93cb..b6e2154adb 100644 --- a/control-plane/subcommand/install-cni/cniconfig_test.go +++ b/control-plane/subcommand/install-cni/cniconfig_test.go @@ -2,7 +2,7 @@ package installcni import ( "fmt" - "io/ioutil" + "os" "path/filepath" "testing" @@ -93,10 +93,10 @@ func TestConfListFromConfFile(t *testing.T) { actualFile, err := confListFileFromConfFile(tempCfgFile) require.NoError(t, err) - actual, err := ioutil.ReadFile(actualFile) + actual, err := os.ReadFile(actualFile) require.NoError(t, err) - expected, err := ioutil.ReadFile(expectedCfgFile) + expected, err := os.ReadFile(expectedCfgFile) require.NoError(t, err) require.Equal(t, string(expected), string(actual)) @@ -168,10 +168,10 @@ func TestAppendCNIConfig(t *testing.T) { err = appendCNIConfig(c.consulConfig, tempDestFile) require.NoError(t, err) - actual, err := ioutil.ReadFile(tempDestFile) + actual, err := os.ReadFile(tempDestFile) require.NoError(t, err) - expected, err := ioutil.ReadFile(c.goldenFile) + expected, err := os.ReadFile(c.goldenFile) require.NoError(t, err) require.Equal(t, string(expected), string(actual)) @@ -298,10 +298,10 @@ func TestRemoveCNIConfig(t *testing.T) { t.Fatal(err) } - actual, err := ioutil.ReadFile(tempDestFile) + actual, err := os.ReadFile(tempDestFile) require.NoError(t, err) - expected, err := ioutil.ReadFile(c.cfgFile) + expected, err := os.ReadFile(c.cfgFile) require.NoError(t, err) require.Equal(t, string(expected), string(actual)) diff --git a/control-plane/subcommand/install-cni/command_test.go b/control-plane/subcommand/install-cni/command_test.go index a7e97a4aa9..5cb9bea91e 100644 --- a/control-plane/subcommand/install-cni/command_test.go +++ b/control-plane/subcommand/install-cni/command_test.go @@ -3,7 +3,6 @@ package installcni import ( "context" "fmt" - "io/ioutil" "os" "path/filepath" "testing" @@ -65,11 +64,11 @@ func TestRun_DirectoryWatcher(t *testing.T) { require.NoError(t, err) time.Sleep(50 * time.Millisecond) // The golden file contains the consul config. - expected, err := ioutil.ReadFile(goldenFile) + expected, err := os.ReadFile(goldenFile) require.NoError(t, err) // Get the name of the config file in the tempDir and read it. tempDestFile := filepath.Join(tempDir, configFile) - actual, err := ioutil.ReadFile(tempDestFile) + actual, err := os.ReadFile(tempDestFile) require.NoError(t, err) // Filewatcher should have detected a change and appended to the config file. Make sure // files match. @@ -82,7 +81,7 @@ func TestRun_DirectoryWatcher(t *testing.T) { require.NoError(t, err) time.Sleep(50 * time.Millisecond) // Re-read the config file so we can compare the updated config file. - actual, err = ioutil.ReadFile(tempDestFile) + actual, err = os.ReadFile(tempDestFile) require.NoError(t, err) // Filewatcher should have detected change, fixed and appended to the config file. Make sure // files match. diff --git a/control-plane/subcommand/install-cni/kubeconfig.go b/control-plane/subcommand/install-cni/kubeconfig.go index e611828e36..ca93759578 100644 --- a/control-plane/subcommand/install-cni/kubeconfig.go +++ b/control-plane/subcommand/install-cni/kubeconfig.go @@ -3,7 +3,6 @@ package installcni import ( "errors" "fmt" - "io/ioutil" "os" "path/filepath" @@ -120,7 +119,7 @@ func serviceAccountToken(tokenPath string) (string, error) { if _, err := os.Stat(tokenPath); errors.Is(err, os.ErrNotExist) { return "", fmt.Errorf("tokenPath does not exist: %w", err) } - token, err := ioutil.ReadFile(tokenPath) + token, err := os.ReadFile(tokenPath) if err != nil { return "", fmt.Errorf("could not read service account token: %w", err) } diff --git a/control-plane/subcommand/install-cni/kubeconfig_test.go b/control-plane/subcommand/install-cni/kubeconfig_test.go index 22a7eae9b1..899ad3f600 100644 --- a/control-plane/subcommand/install-cni/kubeconfig_test.go +++ b/control-plane/subcommand/install-cni/kubeconfig_test.go @@ -1,7 +1,7 @@ package installcni import ( - "io/ioutil" + "os" "path/filepath" "testing" @@ -39,7 +39,7 @@ func TestKubeConfigYaml(t *testing.T) { require.NoError(t, err) golden := filepath.Join("testdata", c.goldenFile) - expected, err := ioutil.ReadFile(golden) + expected, err := os.ReadFile(golden) require.NoError(t, err) require.Equal(t, string(expected), string(actual))