Use mcr.microsoft.com/oss/go/microsoft/golang:1.22.5-bookworm as the Go build image.
This avoids rate limiting pulling the alpine-based image from Docker Hub.
In Microsoft golang image, /bin/sh is not bash, so `-o pipefail` isn't available.
Fix it by setting build.sh to use /bin/bash explicitly.
golangci-lint v1.59.0 exits with error code 7 if there are any
errors logged:
4ba2155996
There were some errors in the lint job due to use of deprecated linters:
level=error msg="[linters_context] deadcode: This linter is fully inactivated: it will not produce any reports."
level=error msg="[linters_context] structcheck: This linter is fully inactivated: it will not produce any reports."
level=error msg="[linters_context] varcheck: This linter is fully inactivated: it will not produce any reports."
Fix it by removing the deprecated linters.
Run workflow only on tag "v*" push, not workflow_dispatch.
Remove references to changelog GH action.
Run build and publish steps on 1ES GitHub runners.
Previously we were on K8s v1.24 which is no longer supported in AKS.
Update to v1.27.8 so we're on an LTS version.
This also resolves some CVEs that were picked up by trivy,
although none of them affect ip-masq-agent.
Unfortunately, the test utilities we were using from k8s 1.24
changed significantly in k8s 1.25
913f4bc0ba
Update the tests to use the new test utilities. This is a port of the work from
upstream ip-masq-agent:
8f9743a45c
Match the version of Go used in the build image.
This also prunes some dependencies, see
"Pruned module graphs in go 1.17 modules" in the Go 1.17 release
notes for details: https://go.dev/doc/go1.17
Buildkit is required for multi-platform builds.
Docker version 23.0 enables buildkit by default,
but GitHub runner instances currently use version 20.10.24.
Set the DOCKER_BUILDKIT flag to enable it.
Use builder image with go 1.20 to match upstream.
Use base image registry.k8s.io/build-image/distroless-iptables:v0.2.4
Since distroless-iptables is a multi-arch image, configure the
Dockerfile and Makefile to specify --platform for each target
platform. This allows us to use the upstream base image from
registry.k8s.io directly without building manually and pushing
to a separate ACR.
This commit also removes the Windows target. Git commit history
says this got added in commit b9e714d4ef
"Update to the current thockin/go-build-template"
However, upstream ip-masq-agent never added the windows target,
and distroless-iptables doesn't support it. We don't use
ip-masq-agent on Windows, so I think it's safe to remove.
Tested the new images on both AMD64 and ARM64 nodes in an
AKS overlay cluster. Verified that the cluster created successfully,
ip-masq-agent was running on both AMD64 and ARM64 nodes,
and the ip-masq-agent iptables rules were installed.
* update Kubernetes packages for security fixes
* update CHANGELOG
* k8s.io/component-base/logs to replace old log pkg
* k8s.io/component-base/version/verflag to replace old verflag pkg
* run loop should return error and crash the daemon on errors
* error tests for bad configs
* go fmt test file
* validate each config to provide the error containing file
validating at the end makes it harder to debug and figure out which
config is the bad file. will also short circuit on a bad config rather than
processing all
* go fmt test file
* Sticking with %q convention for file names
the quotes add some specificity (but mainly just concerned about sticking with what we have in other error messages).
* update tests for previous commit
* missed a quote
Co-authored-by: Matt Stam <mattstam@live.com>
Will Daly
Will Daly
dependabot[bot]
Matt Stam
Tyler Lloyd
Tatsinnit
Tatsinnit