Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Go 1.22 and revert support for new goboring #1863

Merged
merged 6 commits into from
Feb 8, 2024
Merged

Upgrade to Go 1.22 and revert support for new goboring #1863

merged 6 commits into from
Feb 8, 2024

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented Feb 7, 2024
edited
Loading

Previously, Go released an upgrade to goboring in Go 1.21.6. They were apparently racing to meet a FIPS deadline for TLS 1.3 support, which is why they made such a big change in a patch release.

However, they later changed their minds and Go 1.21.7 and Go 1.22 are downgraded back to the same old goboring. See golang/go#65321.

We previously changed the Pinniped code to support TLS 1.3 because the new goboring supported it. See #1841. However, by upgrading to Go 1.22, now we are back to using the old goboring, so we need to revert our previous changes.

Note that the next release of Pinnped will not work if compiled for FIPS using Go 1.21.6 due to this. Any other recent version should work, because only Go 1.21.6 included the new goboring. This should not be a problem because the hack/Dockerfile_fips file will not reference Go 1.21.6 anymore in the next release of Pinniped. However, this is worth noting for anyone who is compiling Pinniped for FIPS using a custom Dockerfile or who is overriding the BUILD_IMAGE arg of the Dockerfile.

When Go someday upgrades goboring again, we should be able to revert the one related commit from this PR to enable TLS 1.3 in FIPS mode again (the commit titled "Revert support TLS 1.3 in FIPS mode because Go reverted goboring upgrade").

This PR also includes other changes needed for Go 1.22, as well as changes in the auto-generated code due to upgrading conroller-gen in CI to v0.14.0 (which was done at the same time as working on this PR).

Release note:

None because we never included FIPS mode TLS 1.3 in a Pinniped release, even though the code lived on the main branch for a little while.

NONE

@codecov Codecov
Copy link

codecov bot commented Feb 7, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a728822) 79.10% compared to head (904a60f) 38.62%.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #1863       +/-   ##
===========================================
- Coverage   79.10%   38.62%   -40.48%     
===========================================
  Files         173      335      +162     
  Lines       16201    43595    +27394     
===========================================
+ Hits        12815    16840     +4025     
- Misses       3066    26252    +23186     
- Partials      320      503      +183

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

benjaminapetersen
benjaminapetersen approved these changes Feb 8, 2024
View reviewed changes
Copy link
Member

@benjaminapetersen benjaminapetersen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cfryanr cfryanr mentioned this pull request Feb 8, 2024
Merged
@cfryanr
Test util AssertTLS supports both old and new goboring
e303a45 
- Current goboring only allows TLS 1.2.
- The next goboring will allow TLS 1.2 and TLS 1.3. We got a preview
  of this when the Go team upgraded goboring in Go 1.21.6, but then
  downgraded it again in the next Go releases.
@cfryanr cfryanr force-pushed the revert_support_for_new_goboring branch from e9ee87a to c1fdb54 Compare February 8, 2024 17:43
@cfryanr
Revert support TLS 1.3 in FIPS mode because Go reverted goboring upgrade
d279411 
Goboring only allows TLS 1.2.

The next goboring will allow both TLS 1.2 and TLS 1.3. We got a preview
of this when the Go team upgraded goboring in Go 1.21.6, but then
downgraded it again in the next Go releases.

When the Go team eventually upgrades goboring again, then we can
revert this commit to bring back TLS 1.3 support in FIPS mode.
@cfryanr cfryanr force-pushed the revert_support_for_new_goboring branch from c1fdb54 to d279411 Compare February 8, 2024 18:44
@cfryanr cfryanr changed the title Revert support for new goboring Upgrade to Go 1.22 and revert support for new goboring Feb 8, 2024
@cfryanr cfryanr force-pushed the revert_support_for_new_goboring branch from 1e2d84a to 904a60f Compare February 8, 2024 22:14
@cfryanr cfryanr enabled auto-merge February 8, 2024 22:40
@cfryanr cfryanr merged commit ad9d9ce into main Feb 8, 2024
39 checks passed
@cfryanr cfryanr deleted the revert_support_for_new_goboring branch February 8, 2024 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjaminapetersen benjaminapetersen benjaminapetersen approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cfryanr @benjaminapetersen @vmwclabot @pinniped-ci-bot