Merge pull request #665 from cert-manager/self-upgrade-main

[CI] Merge self-upgrade-main into main

Author: cert-manager-prow[bot]

.github/workflows/renovate.yaml

@@ -50,7 +50,7 @@ jobs:
           go-version: ${{ steps.go-version.outputs.result }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@aec779d4f7845f8431ddf403cf9659d4702ddde0 # v43.0.18
+        uses: renovatebot/github-action@a3c115cd6676c8a5bc72f9715f108759e570daf5 # v43.0.19
         with:
           configurationFile: .github/renovate.json5
           token: ${{ steps.octo-sts.outputs.token }}

.golangci.yaml

@@ -50,6 +50,7 @@ linters:
     - makezero
     - mirror
     - misspell
+    - modernize
     - musttag
     - nakedret
     - nilerr
@@ -77,9 +78,10 @@ formatters:
       sections:
         - standard # Standard section: captures all standard packages.
         - default # Default section: contains all imports that could not be matched to another section type.
-        - prefix(github.com/cert-manager/istio-csr) # Custom section: groups all imports with the specified Prefix.
+        - localmodule # Local module section: contains all local packages. This section is not present unless explicitly enabled.
         - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
         - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+      custom-order: true
   exclusions:
     generated: lax
     paths: [third_party, builtin$, examples$]

cmd/app/app.go

@@ -89,7 +89,7 @@ func NewCommand(ctx context.Context) *cobra.Command {
 
 			mlog := opts.Logr.WithName("manager")
 			eventBroadcaster := record.NewBroadcaster()
-			eventBroadcaster.StartLogging(func(format string, args ...interface{}) { mlog.V(3).Info(fmt.Sprintf(format, args...)) })
+			eventBroadcaster.StartLogging(func(format string, args ...any) { mlog.V(3).Info(fmt.Sprintf(format, args...)) })
 			eventBroadcaster.StartRecordingToSink(&clientv1.EventSinkImpl{Interface: cl.CoreV1().Events(opts.CertManager.Namespace)})
 
 			mgr, err := ctrl.NewManager(opts.RestConfig, ctrl.Options{

klone.yaml

@@ -10,70 +10,70 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 737c51c1bf36dea15a7ef2bc5c070d09845530a2
+      repo_hash: 2121d6bf1ec6440011bc03021015af1c18ec0eba
       repo_path: modules/tools

make/_shared/go/.golangci.override.yaml

@@ -45,6 +45,7 @@ linters:
     - makezero
     - mirror
     - misspell
+    - modernize
     - musttag
     - nakedret
     - nilerr
@@ -69,10 +70,11 @@ formatters:
   enable: [ gci, gofmt ]
   settings:
     gci:
+      custom-order: true
       sections:
         - standard # Standard section: captures all standard packages.
         - default # Default section: contains all imports that could not be matched to another section type.
-        - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix.
+        - localmodule # Local module section: contains all local packages. This section is not present unless explicitly enabled.
         - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
         - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
   exclusions:

make/_shared/go/01_mod.mk

@@ -117,7 +117,6 @@ generate-golangci-lint-config: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/s
 	cp $(golangci_lint_config) $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	$(YQ) -i 'del(.linters.enable)' $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	$(YQ) eval-all -i '. as $$item ireduce ({}; . * $$item)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_override)
-	$(YQ) -i '(.. | select(tag == "!!str")) |= sub("{{REPO-NAME}}", "$(repo_name)")' $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	mv $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_config)
 
 shared_generate_targets += generate-golangci-lint-config
@@ -147,9 +146,9 @@ fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
 				target=$$(dirname $${d}); \
-				echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint fmt -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \
+				echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint run --fix -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
-				GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) fmt -c $(CURDIR)/$(golangci_lint_config) || exit; \
+				GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) run --fix -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done

make/_shared/repository-base/base/.github/workflows/renovate.yaml

@@ -50,7 +50,7 @@ jobs:
           go-version: ${{ steps.go-version.outputs.result }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@aec779d4f7845f8431ddf403cf9659d4702ddde0 # v43.0.18
+        uses: renovatebot/github-action@a3c115cd6676c8a5bc72f9715f108759e570daf5 # v43.0.19
         with:
           configurationFile: .github/renovate.json5
           token: ${{ steps.octo-sts.outputs.token }}

make/_shared/tools/00_mod.mk

@@ -86,7 +86,7 @@ tools += yq=v4.48.1
 tools += ko=0.18.0
 # https://github.com/protocolbuffers/protobuf/releases
 # renovate: datasource=github-releases packageName=protocolbuffers/protobuf
-tools += protoc=v32.1
+tools += protoc=v33.0
 # https://github.com/aquasecurity/trivy/releases
 # renovate: datasource=github-releases packageName=aquasecurity/trivy
 tools += trivy=v0.67.2
@@ -167,7 +167,7 @@ tools += cmctl=v2.3.0
 tools += cmrel=v1.12.15-0.20241121151736-e3cbe5171488
 # https://pkg.go.dev/github.com/golangci/golangci-lint/v2/cmd/golangci-lint?tab=versions
 # renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2
-tools += golangci-lint=v2.5.0
+tools += golangci-lint=v2.6.0
 # https://pkg.go.dev/golang.org/x/vuln?tab=versions
 # renovate: datasource=go packageName=golang.org/x/vuln
 tools += govulncheck=v1.1.4
@@ -499,7 +499,7 @@ $(DOWNLOAD_DIR)/tools/vault@$(VAULT_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLO
 	@source $(lock_script) $@; \
 		$(CURL) https://releases.hashicorp.com/vault/$(VAULT_VERSION:v%=%)/vault_$(VAULT_VERSION:v%=%)_$(HOST_OS)_$(HOST_ARCH).zip -o $(outfile).zip; \
 		$(checkhash_script) $(outfile).zip $(vault_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
-		unzip -qq -c $(outfile).zip > $(outfile); \
+		unzip -p $(outfile).zip vault > $(outfile); \
 		chmod +x $(outfile); \
 		rm -f $(outfile).zip
 
@@ -580,10 +580,10 @@ $(DOWNLOAD_DIR)/tools/ko@$(KO_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR
 		chmod +x $(outfile); \
 		rm -f $(outfile).tar.gz
 
-protoc_linux_amd64_SHA256SUM=e9c129c176bb7df02546c4cd6185126ca53c89e7d2f09511e209319704b5dd7e
-protoc_linux_arm64_SHA256SUM=4a802ed23d70f7bad7eb19e5a3e724b3aa967250d572cadfd537c1ba939aee6a
-protoc_darwin_amd64_SHA256SUM=f9caa5b4d0b537acffb0ffd7d53225511a5574ef903fca550ea9e7600987f13b
-protoc_darwin_arm64_SHA256SUM=a7b51b2113862690fa52c62f8891a6037bafb9db88d4f9924c486de9d9bb89d5
+protoc_linux_amd64_SHA256SUM=d99c011b799e9e412064244f0be417e5d76c9b6ace13a2ac735330fa7d57ad8f
+protoc_linux_arm64_SHA256SUM=4b96bc91f8b54d829b8c3ca2207ff1ceb774843321e4fa5a68502faece584272
+protoc_darwin_amd64_SHA256SUM=e4e50a703147a92d1a5a2d3a34c9e41717f67ade67d4be72b9a466eb8f22fe87
+protoc_darwin_arm64_SHA256SUM=3cf55dd47118bd2efda9cd26b74f8bbbfcf5beb1bf606bc56ad4c001b543f6d3
 
 .PRECIOUS: $(DOWNLOAD_DIR)/tools/protoc@$(PROTOC_VERSION)_$(HOST_OS)_$(HOST_ARCH)
 $(DOWNLOAD_DIR)/tools/protoc@$(PROTOC_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
@@ -593,7 +593,7 @@ $(DOWNLOAD_DIR)/tools/protoc@$(PROTOC_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWN
 	@source $(lock_script) $@; \
 		$(CURL) https://github.com/protocolbuffers/protobuf/releases/download/$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION:v%=%)-$(OS)-$(ARCH).zip -o $(outfile).zip; \
 		$(checkhash_script) $(outfile).zip $(protoc_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
-		unzip -qq -c $(outfile).zip bin/protoc > $(outfile); \
+		unzip -p $(outfile).zip bin/protoc > $(outfile); \
 		chmod +x $(outfile); \
 		rm -f $(outfile).zip
 

pkg/certmanager/certmanager.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"sync"
 	"time"
 
@@ -230,9 +231,7 @@ func (m *manager) Sign(ctx context.Context, identities string, csrPEM []byte, du
 		},
 	}
 
-	for k, v := range m.opts.AdditionalAnnotations {
-		cr.ObjectMeta.Annotations[k] = v
-	}
+	maps.Copy(cr.ObjectMeta.Annotations, m.opts.AdditionalAnnotations)
 	// Create CertificateRequest and wait for it to be successfully signed.
 	cr, err := m.certManagerClient.Create(ctx, cr, metav1.CreateOptions{})
 	if err != nil {

pkg/server/internal/extensions/extensions_test.go

@@ -28,7 +28,7 @@ import (
 )
 
 var (
-	disallowedX509KeyUsages = []interface{}{
+	disallowedX509KeyUsages = []any{
 		x509.KeyUsageContentCommitment,
 		x509.KeyUsageDataEncipherment,
 		x509.KeyUsageKeyAgreement,
@@ -38,12 +38,12 @@ var (
 		x509.KeyUsageDecipherOnly,
 	}
 
-	allowedX509KeyUsages = []interface{}{
+	allowedX509KeyUsages = []any{
 		x509.KeyUsageDigitalSignature,
 		x509.KeyUsageKeyEncipherment,
 	}
 
-	disallowedX509ExtKeyUsages = []interface{}{
+	disallowedX509ExtKeyUsages = []any{
 		x509.ExtKeyUsageAny,
 		x509.ExtKeyUsageCodeSigning,
 		x509.ExtKeyUsageEmailProtection,
@@ -58,7 +58,7 @@ var (
 		x509.ExtKeyUsageMicrosoftKernelCodeSigning,
 	}
 
-	allowedX509ExtKeyUsages = []interface{}{
+	allowedX509ExtKeyUsages = []any{
 		x509.ExtKeyUsageServerAuth,
 		x509.ExtKeyUsageClientAuth,
 	}
@@ -319,13 +319,13 @@ func TestValidateKeyUsageExtension(t *testing.T) {
 }
 
 // Adapted from https://github.com/mxschmitt/golang-combinations
-func powerset(set []interface{}) (subsets [][]interface{}) {
+func powerset(set []any) (subsets [][]any) {
 	length := uint(len(set))
 
 	// Go through all possible combinations of objects
 	// from 1 (only first object in subset) to 2^length (all objects in subset)
 	for subsetBits := 1; subsetBits < (1 << length); subsetBits++ {
-		var subset []interface{}
+		var subset []any
 
 		for object := range length {
 			// checks if object is contained in subset