diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 7e93e0f..cd8029b 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - name: install and run golangci-lint uses: golangci/golangci-lint-action@v3.4.0 @@ -35,7 +35,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - name: Download K8s envtest - local K8s cluster control plane run: | @@ -73,7 +73,7 @@ jobs: uses: helm/chart-testing-action@v2.4.0 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - uses: ko-build/setup-ko@v0.6 name: Setup ko env: @@ -120,7 +120,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - uses: ko-build/setup-ko@v0.6 name: Setup ko @@ -165,7 +165,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - name: Install Helm uses: azure/setup-helm@v3 @@ -191,7 +191,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - uses: ko-build/setup-ko@v0.6 name: Setup ko @@ -232,7 +232,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: 1.19 + go-version: "1.20" - name: Login to DockerHub uses: docker/login-action@v2 diff --git a/go.mod b/go.mod index dcb04d6..3d2d7c0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/postfinance/kubelet-csr-approver -go 1.19 +go 1.20 require ( github.com/foxcpp/go-mockdns v1.0.0 @@ -10,6 +10,7 @@ require ( github.com/thanhpk/randstr v1.0.4 github.com/tj/assert v0.0.3 go.uber.org/zap v1.24.0 + go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 k8s.io/api v0.26.3 k8s.io/apimachinery v0.26.3 k8s.io/client-go v0.26.3 @@ -60,8 +61,6 @@ require ( github.com/spf13/pflag v1.0.5 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect - go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect - go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760 // indirect golang.org/x/net v0.7.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect golang.org/x/sys v0.5.0 // indirect @@ -73,7 +72,6 @@ require ( google.golang.org/protobuf v1.28.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - inet.af/netaddr v0.0.0-20220811202034-502d2d690317 k8s.io/apiextensions-apiserver v0.26.1 // indirect k8s.io/component-base v0.26.1 // indirect k8s.io/klog/v2 v2.80.1 // indirect diff --git a/go.sum b/go.sum index 767056a..d968582 100644 --- a/go.sum +++ b/go.sum @@ -32,8 +32,8 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0= github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -60,7 +60,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -312,11 +311,8 @@ go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -go4.org/intern v0.0.0-20211027215823-ae77deb06f29 h1:UXLjNohABv4S58tHmeuIZDO6e3mHpW2Dx33gaNt03LE= -go4.org/intern v0.0.0-20211027215823-ae77deb06f29/go.mod h1:cS2ma+47FKrLPdXFpr7CuxiTW3eyJbWew4qx0qtQWDA= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760 h1:FyBZqvoA/jbNzuAWLQE2kG820zMAkcilx6BMjGbL/E4= -go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= +go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 h1:nJAwRlGWZZDOD+6wni9KVUNHMpHko/OnRwsrCYeAzPo= +go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -448,7 +444,6 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -527,7 +522,6 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -647,8 +641,6 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -inet.af/netaddr v0.0.0-20220811202034-502d2d690317 h1:U2fwK6P2EqmopP/hFLTOAjWTki0qgd4GMJn5X8wOleU= -inet.af/netaddr v0.0.0-20220811202034-502d2d690317/go.mod h1:OIezDfdzOgFhuw4HuWapWq2e9l0H9tK4F1j+ETRtF3k= k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU= k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= diff --git a/internal/cmd/cmd.go b/internal/cmd/cmd.go index f1cdc19..391aafe 100644 --- a/internal/cmd/cmd.go +++ b/internal/cmd/cmd.go @@ -9,7 +9,10 @@ import ( "regexp" "strings" - "inet.af/netaddr" + "net/netip" + + "go4.org/netipx" + clientset "k8s.io/client-go/kubernetes" "github.com/peterbourgon/ff/v3" @@ -71,10 +74,11 @@ func CreateControllerManager(config *controller.Config, logger logr.Logger) ( csrController.ProviderRegexp = regexp.MustCompile(config.RegexStr).MatchString // IP Prefixes parsing and IPSet construction - var setBuilder netaddr.IPSetBuilder + + var setBuilder netipx.IPSetBuilder for _, ipPrefix := range strings.Split(config.IPPrefixesStr, ",") { - ipPref, err := netaddr.ParseIPPrefix(ipPrefix) + ipPref, err := netip.ParsePrefix(ipPrefix) if err != nil { logger.V(-5).Info(fmt.Sprintf("Unable to parse IP prefix: %s, exiting", ipPrefix)) diff --git a/internal/controller/csr_controller.go b/internal/controller/csr_controller.go index d0e0ebb..63bbe2e 100644 --- a/internal/controller/csr_controller.go +++ b/internal/controller/csr_controller.go @@ -22,7 +22,7 @@ import ( "fmt" "strings" - "inet.af/netaddr" + "go4.org/netipx" certificatesv1 "k8s.io/api/certificates/v1" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -49,7 +49,7 @@ type Config struct { RegexStr string ProviderRegexp func(string) bool IPPrefixesStr string - ProviderIPSet *netaddr.IPSet + ProviderIPSet *netipx.IPSet MaxExpirationSeconds int32 K8sConfig *rest.Config DNSResolver HostResolver diff --git a/internal/controller/provider_specific_checks.go b/internal/controller/provider_specific_checks.go index 1f56826..309a72a 100644 --- a/internal/controller/provider_specific_checks.go +++ b/internal/controller/provider_specific_checks.go @@ -8,6 +8,6 @@ import ( // ProviderChecks is a function in which the Cloud Provider specifies a series of checks // to run against the CSRs. The out-of-band identity checks of the CSRs should happen here -func ProviderChecks(csr *certificatesv1.CertificateSigningRequest, x509csr *x509.CertificateRequest) (valid bool, reason string) { +func ProviderChecks(_ *certificatesv1.CertificateSigningRequest, _ *x509.CertificateRequest) (valid bool, reason string) { return true, "" } diff --git a/internal/controller/regex_ip_checks.go b/internal/controller/regex_ip_checks.go index ce9b25e..528f794 100644 --- a/internal/controller/regex_ip_checks.go +++ b/internal/controller/regex_ip_checks.go @@ -4,11 +4,11 @@ import ( "context" "crypto/x509" "fmt" + "net/netip" "strings" "time" - "inet.af/netaddr" - + "go4.org/netipx" certificatesv1 "k8s.io/api/certificates/v1" ) @@ -62,10 +62,10 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr allResolvedAddrs = append(allResolvedAddrs, resolvedAddrs...) } - var setBuilder netaddr.IPSetBuilder + var setBuilder netipx.IPSetBuilder for _, a := range allResolvedAddrs { - ipaddr, err := netaddr.ParseIP(a) + ipaddr, err := netip.ParseAddr(a) if err != nil { return false, fmt.Sprintf("Error while parsing resolved IP address %s, denying the CSR", ipaddr), nil } @@ -83,7 +83,7 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr sanIPAddrs := x509cr.IPAddresses for _, ip := range sanIPAddrs { - ipa, ok := netaddr.FromStdIP(ip) + ipa, ok := netipx.FromStdIP(ip) if !ok { return false, fmt.Sprintf("Error while parsing x509 CR IP address %s, denying the CSR", ip), nil } @@ -99,10 +99,10 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr // WhitelistedIPCheck verifies that the x509cr SAN IP Addresses are contained in the // set of ProviderSpecified IP addresses -func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error) { +func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(_ *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error) { sanIPAddrs := x509cr.IPAddresses for _, ip := range sanIPAddrs { - ipa, ok := netaddr.FromStdIP(ip) + ipa, ok := netipx.FromStdIP(ip) if !ok { return false, fmt.Sprintf("Error while parsing x509 CR IP address %s, denying the CSR", ip), nil }