Bump Go version to 1.22.11

[y1hao]

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Bump Go version to latest 1.22 release.

Which issue(s) this PR fixes:
Part of #6063

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Karmada now built with Golang v1.22.11.

[karmada-bot]

Welcome @y1hao! It looks like this is your first PR to karmada-io/karmada 🎉

[y1hao]

1. The casing is a bit weird - should it be MIN_GO_VERSION? Maybe I can change it in a separate PR?
2. Is this version always in sync with the versions in .go-version and go.mod? How about just reading it from .go-version? Actually, I think this can work: MIN_GO_VERSION="go$(go list -m -f {{.GoVersion}})"

[RainbowMango]

Both are great to me! Thanks.

[y1hao]

The 2 failing unit tests in CI in membercluster_client_test.go don't seem to be related to this change. When I run them locally they pass. Are they flaky?

[RainbowMango]

The 2 failing unit tests in CI in membercluster_client_test.go don't seem to be related to this change. When I run them locally they pass. Are they flaky?

Yes, I think so.

https://github.com/karmada-io/karmada/actions/runs/12851418469/job/35832193075?pr=6066

=== Failed
=== FAIL: pkg/util TestNewClusterClientSet_ClientWorks (0.02s)
2025/01/19 07:28:02 http: TLS handshake error from 127.0.0.1:42898: remote error: tls: bad certificate
    membercluster_client_test.go:480: 
        	Error Trace:	/home/runner/work/karmada/karmada/pkg/util/membercluster_client_test.go:480
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:44229/api/v1/nodes/foo": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Acme Co")
        	Test:       	TestNewClusterClientSet_ClientWorks
    membercluster_client_test.go:488: 
        	Error Trace:	/home/runner/work/karmada/karmada/pkg/util/membercluster_client_test.go:488
        	Error:      	Not equal: 
        	            	expected: &v1.Node{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"foo", GenerateName:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1.NodeSpec{PodCIDR:"", PodCIDRs:[]string(nil), ProviderID:"", Unschedulable:false, Taints:[]v1.Taint(nil), ConfigSource:(*v1.NodeConfigSource)(nil), DoNotUseExternalID:""}, Status:v1.NodeStatus{Capacity:v1.ResourceList(nil), Allocatable:v1.ResourceList(nil), Phase:"", Conditions:[]v1.NodeCondition(nil), Addresses:[]v1.NodeAddress(nil), DaemonEndpoints:v1.NodeDaemonEndpoints{KubeletEndpoint:v1.DaemonEndpoint{Port:0}}, NodeInfo:v1.NodeSystemInfo{MachineID:"", SystemUUID:"", BootID:"", KernelVersion:"", OSImage:"", ContainerRuntimeVersion:"", KubeletVersion:"", KubeProxyVersion:"", OperatingSystem:"", Architecture:""}, Images:[]v1.ContainerImage(nil), VolumesInUse:[]v1.UniqueVolumeName(nil), VolumesAttached:[]v1.AttachedVolume(nil), Config:(*v1.NodeConfigStatus)(nil), RuntimeHandlers:[]v1.NodeRuntimeHandler(nil), Features:(*v1.NodeFeatures)(nil)}}
        	            	actual  : &v1.Node{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"", GenerateName:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1.NodeSpec{PodCIDR:"", PodCIDRs:[]string(nil), ProviderID:"", Unschedulable:false, Taints:[]v1.Taint(nil), ConfigSource:(*v1.NodeConfigSource)(nil), DoNotUseExternalID:""}, Status:v1.NodeStatus{Capacity:v1.ResourceList(nil), Allocatable:v1.ResourceList(nil), Phase:"", Conditions:[]v1.NodeCondition(nil), Addresses:[]v1.NodeAddress(nil), DaemonEndpoints:v1.NodeDaemonEndpoints{KubeletEndpoint:v1.DaemonEndpoint{Port:0}}, NodeInfo:v1.NodeSystemInfo{MachineID:"", SystemUUID:"", BootID:"", KernelVersion:"", OSImage:"", ContainerRuntimeVersion:"", KubeletVersion:"", KubeProxyVersion:"", OperatingSystem:"", Architecture:""}, Images:[]v1.ContainerImage(nil), VolumesInUse:[]v1.UniqueVolumeName(nil), VolumesAttached:[]v1.AttachedVolume(nil), Config:(*v1.NodeConfigStatus)(nil), RuntimeHandlers:[]v1.NodeRuntimeHandler(nil), Features:(*v1.NodeFeatures)(nil)}}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -6,3 +6,3 @@
        	            	  ObjectMeta: (v1.ObjectMeta) {
        	            	-  Name: (string) (len=3) "foo",
        	            	+  Name: (string) "",
        	            	   GenerateName: (string) "",
        	Test:       	TestNewClusterClientSet_ClientWorks

=== FAIL: pkg/util TestNewClusterDynamicClientSet_ClientWorks (0.01s)
2025/01/19 07:28:02 http: TLS handshake error from 127.0.0.1:48820: remote error: tls: bad certificate
    membercluster_client_test.go:689: 
        	Error Trace:	/home/runner/work/karmada/karmada/pkg/util/membercluster_client_test.go:689
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:43629/api/v1/nodes/foo": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Acme Co")
        	Test:       	TestNewClusterDynamicClientSet_ClientWorks
    membercluster_client_test.go:690: 
        	Error Trace:	/home/runner/work/karmada/karmada/pkg/util/membercluster_client_test.go:690
        	Error:      	Expected value not to be nil.
        	Test:       	TestNewClusterDynamicClientSet_ClientWorks
    membercluster_client_test.go:696: 
        	Error Trace:	/home/runner/work/karmada/karmada/pkg/util/membercluster_client_test.go:696
        	Error:      	Not equal: 
        	            	expected: &unstructured.Unstructured{Object:map[string]interface {}{"apiVersion":"v1", "kind":"Node", "metadata":map[string]interface {}{"name":"foo"}}}
        	            	actual  : (*unstructured.Unstructured)(nil)
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,10 +1,2 @@
        	            	-(*unstructured.Unstructured)({
        	            	- Object: (map[string]interface {}) (len=3) {
        	            	-  (string) (len=10) "apiVersion": (string) (len=2) "v1",
        	            	-  (string) (len=4) "kind": (string) (len=4) "Node",
        	            	-  (string) (len=8) "metadata": (map[string]interface {}) (len=1) {
        	            	-   (string) (len=4) "name": (string) (len=3) "foo"
        	            	-  }
        	            	- }
        	            	-})
        	            	+(*unstructured.Unstructured)(<nil>)
        	            	 
        	Test:       	TestNewClusterDynamicClientSet_ClientWorks

DONE 4624 tests, 2 failures in 330.005s
make: *** [Makefile:122: test] Error 1
Error: Process completed with exit code 2.

Let's give it another try.
/retest

[RainbowMango]

I can reproduce it on my side with Go 1.22.11, but it works fine with Go v1.22.09.

The error shows there is something wrong with the certification verification:

Get "https://127.0.0.1:44229/api/v1/nodes/foo": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Acme Co"

I'm still exploring it...

[y1hao]

Looks like x509 does change because of the security patch: https://go-review.googlesource.com/c/go/+/643105/2/src/crypto/x509/verify.go

I can take another look later today after work.

[RainbowMango]

Yeah, I'm looking at this change now.

Just share something I found so far.
The CA certificate we used in this test is signed by Acme Co, which can not pass the client verification.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            49:12:6b:12:90:46:15:ce:ed:35:bd:5f:6f:9a:4a:17
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Acme Co
        Validity
            Not Before: Jan  1 00:00:00 1970 GMT
            Not After : Jan 29 16:00:00 2084 GMT
        Subject: O = Acme Co
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e8:66:da:e6:d1:d5:d5:d0:0a:a2:e0:1a:5c:ed:
                    ff:79:b0:d4:53:8a:ef:c0:25:20:fc:23:5a:27:63:
                    d3:e7:12:c3:e0:dd:55:71:bf:2b:6c:54:96:d8:75:
                    ca:ab:e3:0f:7d:57:70:20:a4:7f:d4:37:33:12:80:
                    06:7f:f2:56:41:35:bb:12:0c:e5:5e:b0:9d:de:b9:
                    5a:8c:45:f6:0f:bd:df:69:62:5e:90:3d:14:69:48:
                    33:e6:fb:6b:4d:76:7d:d0:14:0b:ed:6b:d1:20:27:
                    7b:16:51:19:e8:53:ce:70:f9:6e:9a:2c:8d:9b:35:
                    2a:b7:01:a1:3b:ef:5a:77:55:b9:06:a2:5a:44:8e:
                    8f:61:fa:2e:36:4c:11:e8:d6:b8:4f:34:a3:e4:1a:
                    ea:51:f3:f4:17:00:e2:cc:a4:89:d1:75:e6:87:c8:
                    3c:1b:d9:ad:c3:13:92:37:74:6e:d5:01:5c:eb:55:
                    f2:7a:5b:a4:3c:e1:8a:05:5f:ea:e9:10:4d:92:54:
                    cd:7b:48:08:f2:eb:14:32:56:32:a0:2e:f2:b6:9a:
                    4d:31:6e:d7:da:fa:1d:01:e9:52:bb:6e:63:83:1d:
                    9a:9e:3f:5f:0d:56:6e:87:b0:17:17:9f:b8:9c:94:
                    b8:00:0b:74:9f:59:4d:63:b9:c6:4a:c7:59:6a:cf:
                    0f:6d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                AD:B1:D8:E1:DF:F2:42:5D:76:25:42:BC:8E:AC:BE:12:87:B0:56:E5
            X509v3 Subject Alternative Name: 
                DNS:example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
    Signature Algorithm: sha256WithRSAEncryption

[y1hao]

Looks like the test cert used by the test server has been regenerated:

https://go.googlesource.com/go/+/b72d56f98d6620ebe07626dca4bb67ea8e185379%5E%21/src/net/http/internal/testcert/testcert.go

This is on 16 Jan.

I updated the testCA to be aligned with the new test cert, which I hope will resolve the test failures. But I hope there's a better way to do the tests...

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 48.34%. Comparing base (5bfdf61) to head (995c73c).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6066   +/-   ##
=======================================
  Coverage   48.33%   48.34%           
=======================================
  Files         666      666           
  Lines       54858    54858           
=======================================
+ Hits        26516    26519    +3     
+ Misses      26617    26615    -2     
+ Partials     1725     1724    -1     

Flag	Coverage Δ
unittests	48.34% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[y1hao]

Unit tests have passed with the certificate updates. I think there's a better fix for this. For test that don't spin up a test server, any cert can work so no updates needed. For the two test cases that use the test server, however, we should retrieve the cert from the test server, something like this:

s := http.NewTLSTestServer( //...

caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
	Type:  "CERTIFICATE",
	Bytes: s.Certificate().Raw,
})

// ...

    clusterv1alpha1.SecretCADataKey: caPEM.Bytes()

But this is a bit too complex for a cherry-pick commit, so I prefer to make this change in a separate PR, and only do it in master.

[RainbowMango]

But this is a bit too complex for a cherry-pick commit, so I prefer to make this change in a separate PR, and only do it in master.

That makes 100% sense to me! Thank you!

[RainbowMango]

/lgtm
/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[RainbowMango]

By the way, I updated the PR description a little bit, so that it won't close the referencing issue as we still need to backport the changes.