* build: Dependency bumps to prep for release 2.9.0
* fix(typos): Update typos config to match IZ on txt files in testdata
* chore(lint): Address issues from newer versions of golangci-lint
* fix(dockerfile): Update iptables-wrapper install according to updated installation instructions
- Replace fmt.Errorf %s/%v + err.Error() with %w for proper error
wrapping and errors.Is/As chain support across all packages
- Replace errors.New("msg" + err.Error()) with fmt.Errorf("msg: %w", err)
- Replace strings.Contains(err.Error(), ...) with errors.Is(err,
syscall.EEXIST) and errors.Is(err, syscall.ESRCH) in linux_networking.go
- Remove now-unused IfaceHasAddr and IpvsServerExists string constants
- Replace sort.Strings with slices.Sort in bgp_policies.go, ipset.go,
and testhelpers
- Replace sort.SliceStable with slices.SortStableFunc in bgp_policies.go
- Replace reflect.DeepEqual on []string with slices.Equal in bgp_policies.go
(also fixes bug: was comparing map to slice instead of slice to slice)
- Replace reflect.DeepEqual on []*gobgpapi.Prefix with slices.EqualFunc
comparing exported fields to avoid protobuf internal state comparison
- Replace strings.Index + manual slicing with strings.Cut in docker.go
and classify.go
- Update cni_test.go to use assert.EqualError instead of assert.Equal
for wrapped error comparison
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use new Go Tool directive (available since v1.24) for generate Moqs and
gotestsum instead of install and run directives. This also consolidates
dependencies in go.mod rather than spreading them out.
When this is not explicitely set, codeql still works, but if anything
ever changes (with autodetection) in the future, it will just silently
succeed without producing results. This corrects that by explicitely
saying that we want it to look for golang.
With the prevalance of recent supply chain attacks, this helps avert
dependency tampering with re-released versions by pinning to specific
SHA sums.
This is fully compliant with dependabot as it will update both the SHA
and the commented version when it does its updates.
This also helps prepare for OpenSSF integration by hardening the CI
process.
Attempts to bound the context a bit when people have to look at these
files by splitting them across multiple files and making each one
logical part of the CI lifecycle.
Ensure that the go version (and others) is the same across all points of
reference. In the case of golang, we start by derriving the available go
version from our distro of choice (Alpine) to ensure that it is used the
same everywhere.
Previously, this was done manually by humans and was therefore not
always done consistently. Sometimes dependencies would be missed,
other times dependencies would not be updated at all.
Additionally, we only used tags which, while good from a release point
of view, were not proof against supply chain attacks. This automates the
process to hopefully bring in a sense of consistently and allow us to
leverage SHA sums to guard against supply chain attacks.
This combines five defensive fixes in the Network Services Controller:
1. shuffle(): check rand.Int error before dereferencing result
- rand.Int returns (nil, err) on failure, but the result was
dereferenced before the error check, causing a nil panic
2. NodePort healthcheck: add RWMutex to protect shared maps
- UpdateServicesInfo writes serviceInfoMap/endpointsInfoMap from
the sync goroutine while HTTP handlers read concurrently
3. setupIpvsFirewall: use continue instead of return in dual-stack loop
- return nil after clearing one IP family's chain skipped the
second family entirely on dual-stack nodes
4. setupMangleTableRule/cleanupMangleTableRule: add nil check for ParseIP
- net.ParseIP result was used without nil check, causing panic
on malformed IP strings from service annotations
5. synctypeIpvs: track errors across both sync steps for heartbeat
- err from syncIpvsServices was overwritten by syncHairpinIptablesRules,
masking IPVS failures from the health check system
bgpServerStarted was already fixed. This commit applies the same pattern
to initSrcDstCheckDone and ec2IamAuthorized, which are written from Run()
and the AWS src-dst-check path and read from syncInternalPeers() via
bgp_peers.go — potential data race under concurrent BGP peer syncs.
Also adds TestAtomicBoolFieldsNoConcurrentDataRace to
network_routes_controller_test.go to exercise all three fields under
the race detector.
bgpServerStarted is written in Run() on the controller goroutine and
read from informer callbacks (OnNodeUpdate, handleServiceUpdate,
handleServiceDelete, OnEndpointsAdd, OnEndpointsUpdate) which run on
a separate goroutine. This is a data race.
Replace the plain bool with sync/atomic.Bool, using Store() for writes
and Load() for reads, to make cross-goroutine access safe without
requiring the caller to hold nrc.mu.
This implements support for KEP-1860. When a LoadBalancer ingress has ipMode set to 'Proxy', kube-router will skip adding the IP to the local IPVS table and will not hijack the traffic. If ipMode is 'VIP' or unset, the current behavior is maintained.
Fixes#2014
