Merge pull request #2203 from vmware-tanzu/go1.24

Upgrade to Go 1.24 and change FIPS-compatible builds to allow the use of TLS 1.3
2026-01-07 14:05:50 +00:00 · 2025-02-19 14:46:01 -08:00
parent 737aabb620 3a6573f89e
commit 8b7fec5049
16 changed files with 40 additions and 69 deletions
--- a/2
+++ b/2
@@ -3,7 +3,7 @@
 # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-ARG BUILD_IMAGE=golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959
+ARG BUILD_IMAGE=golang:1.24.0@sha256:2b1cbf278ce05a2a310a3d695ebb176420117a8cfcfcc4e5e68a1bef5f6354da
 ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02
 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
--- a/generated/1.30/apis/go.mod
+++ b/generated/1.30/apis/go.mod
@@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.30/apis
 go 1.22.0
-toolchain go1.23.6
+toolchain go1.24.0
 require (
 	k8s.io/api v0.30.9
--- a/generated/1.30/client/go.mod
+++ b/generated/1.30/client/go.mod
@@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.30/client
 go 1.22.0
-toolchain go1.23.6
+toolchain go1.24.0
 replace go.pinniped.dev/generated/1.30/apis => ../apis
--- a/generated/1.31/apis/go.mod
+++ b/generated/1.31/apis/go.mod
@@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.31/apis
 go 1.22.0
-toolchain go1.23.6
+toolchain go1.24.0
 require (
 	k8s.io/api v0.31.5
--- a/generated/1.31/client/go.mod
+++ b/generated/1.31/client/go.mod
@@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.31/client
 go 1.22.0
-toolchain go1.23.6
+toolchain go1.24.0
 replace go.pinniped.dev/generated/1.31/apis => ../apis
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module go.pinniped.dev
 go 1.23.0
-toolchain go1.23.6
+toolchain go1.24.0
 // When using v0.31.5, need to use this version of structured-merge-diff.
 // See https://github.com/kubernetes/apimachinery/blob/v0.31.5/go.mod#L30
@@ -39,7 +39,7 @@ require (
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
-	github.com/spf13/cobra v1.8.1
+	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
 	github.com/tdewolff/minify/v2 v2.21.3
@@ -78,7 +78,7 @@ require (
 	github.com/chromedp/sysutil v1.1.0 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/cristalhq/jwt/v4 v4.0.2 // indirect
 	github.com/dgraph-io/ristretto v1.0.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -90,8 +90,8 @@ github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
@@ -528,8 +528,8 @@ github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/
 github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA=
 github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
--- a/hack/Dockerfile_fips
+++ b/hack/Dockerfile_fips
@@ -16,7 +16,7 @@
 # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
 # and https://kupczynski.info/posts/fips-golang/ for details.
-ARG BUILD_IMAGE=golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959
+ARG BUILD_IMAGE=golang:1.24.0@sha256:2b1cbf278ce05a2a310a3d695ebb176420117a8cfcfcc4e5e68a1bef5f6354da
 ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02
 # This is not currently using --platform to prepare to cross-compile because we use gcc below to build
--- a/hack/lib/lint-version.txt
+++ b/hack/lib/lint-version.txt
@@ -1 +1 @@
-1.63.4
+1.64.5
--- a/hack/update-go-mod/go.mod
+++ b/hack/update-go-mod/go.mod
@@ -2,6 +2,6 @@ module go.pinniped.dev/update-go-mod
 go 1.22.0
-toolchain go1.23.6
+toolchain go1.24.0
 require golang.org/x/mod v0.22.0
--- a/internal/concierge/impersonator/impersonator.go
+++ b/internal/concierge/impersonator/impersonator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 package impersonator
@@ -650,7 +650,6 @@ func getTransportForUser(ctx context.Context, userInfo user.Info, delegate, dele
 }
 func canImpersonateFully(userInfo user.Info) bool {
 	//nolint:gosimple  // this structure is on purpose because we plan to expand this function
 	if len(userInfo.GetUID()) == 0 {
 		return true
 	}
--- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go
+++ b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go
@@ -1,10 +0,0 @@
 // Copyright 2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //go:build fips_enable_tls13_max_for_default_profile
 package ptls
 import "crypto/tls"
 const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13
--- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go
+++ b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go
@@ -1,10 +0,0 @@
 // Copyright 2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //go:build !fips_enable_tls13_max_for_default_profile
 package ptls
 import "crypto/tls"
 const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS12
--- a/internal/crypto/ptls/profiles_fips_strict.go
+++ b/internal/crypto/ptls/profiles_fips_strict.go
@@ -1,4 +1,4 @@
-// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // This file overrides profiles.go when Pinniped is built in FIPS-only mode.
@@ -37,11 +37,9 @@ var (
 	// insecureCipherSuiteIDs is a list of additional ciphers that should be allowed for both clients
 	// and servers when using TLS 1.2.
 	//
-	// FIPS allows the use of these specific ciphers that golang considers insecure.
+	// Previous versions of FIPS allowed the use of some specific ciphers that golang considers insecure.
-	insecureCipherSuiteIDs = []uint16{
+	// Go 1.24 does not anymore, so now this list is empty.
-		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+	insecureCipherSuiteIDs []uint16
 		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 	}
 	// additionalSecureCipherSuiteIDsOnlyForLDAPClients are additional ciphers to use only for LDAP clients
 	// when using TLS 1.2. These can be used when the Pinniped Supervisor is making calls to an LDAP server
@@ -62,8 +60,7 @@ func init() {
 	// this init runs before we have parsed our config to determine our log level
 	// thus we must use a log statement that will always print instead of conditionally print
 	plog.Always("this server was compiled to use boring crypto in FIPS-only mode",
-		"go version", runtime.Version(),
+		"go version", runtime.Version())
 		"DefaultProfileMaxTLSVersionForFIPS", tls.VersionName(DefaultProfileMaxTLSVersionForFIPS))
 }
 // Default: see comment in profiles.go.
@@ -72,8 +69,8 @@ func init() {
 // and insecureCipherSuiteIDs values defined above.
 func Default(rootCAs *x509.CertPool) *tls.Config {
 	config := buildTLSConfig(rootCAs, allHardcodedAllowedCipherSuites(), getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo())
-	// Until goboring supports TLS 1.3, make the max version 1.2 by default. Allow it to be overridden by a build tag.
+	// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here.
-	config.MaxVersion = DefaultProfileMaxTLSVersionForFIPS
+	config.MaxVersion = tls.VersionTLS13
 	return config
 }
@@ -86,15 +83,18 @@ func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
 // Secure: see comment in profiles.go.
 // This chooses different cipher suites and/or TLS versions compared to non-FIPS mode.
-// Until goboring supports TLS 1.3, make the Secure profile the same as the Default profile in FIPS mode.
+// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here.
-// Until then, this is not any different from the Default profile in FIPS mode.
+// However, until it is safe to assume that a FIPS-compiled k8s server supports TLS 1.3, continue to
 // make the Secure profile the same as the Default profile in FIPS mode, to allow both TLS 1.2 and 1.3.
 func Secure(rootCAs *x509.CertPool) *tls.Config {
 	return Default(rootCAs)
 }
 // SecureServing: see comment in profiles.go.
 // This chooses different cipher suites and/or TLS versions compared to non-FIPS mode.
-// Until goboring supports TLS 1.3, make SecureServing use the same as the defaultServing profile in FIPS mode.
+// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here.
 // However, until it is safe to assume that a FIPS-compiled k8s server supports TLS 1.3, continue to
 // make SecureServing use the same as the defaultServing profile in FIPS mode, to allow both TLS 1.2 and 1.3.
 func SecureServing(opts *options.SecureServingOptionsWithLoopback) {
 	defaultServing(opts)
 }
--- a/test/integration/limited_ciphers_fips_test.go
+++ b/test/integration/limited_ciphers_fips_test.go
@@ -1,4 +1,4 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //go:build fips_strict
@@ -21,12 +21,11 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) {
 			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
 			"TLS_RSA_WITH_AES_256_GCM_SHA384", // this is an insecure cipher but allowed for FIPS
 		},
 		// Expected server configuration for the Supervisor's OIDC endpoints.
 		&tls.Config{
 			MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect
-			MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet
+			MaxVersion: tls.VersionTLS13,
 			CipherSuites: []uint16{
 				// Supervisor OIDC endpoints configured with EC certs use only EC ciphers.
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -35,13 +34,12 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) {
 		},
 		// Expected server configuration for the Supervisor and Concierge aggregated API endpoints.
 		&tls.Config{
-			MinVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet
+			MinVersion: tls.VersionTLS12, // always allow TLS 1.2 in fips mode
-			MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet
+			MaxVersion: tls.VersionTLS13,
 			CipherSuites: []uint16{
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 			},
 		},
 	)
--- a/test/integration/ptls_fips_test.go
+++ b/test/integration/ptls_fips_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //go:build fips_strict
@@ -65,8 +65,6 @@ var expectedFIPSCipherSuites = []uint16{
 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 	tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 }
 func TestDefault_Parallel(t *testing.T) {
@@ -77,7 +75,7 @@ func TestDefault_Parallel(t *testing.T) {
 	actual := ptls.Default(aCertPool)
 	expected := &tls.Config{
 		MinVersion:   tls.VersionTLS12,
-		MaxVersion:   tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
+		MaxVersion:   tls.VersionTLS13,
 		CipherSuites: expectedFIPSCipherSuites,
 		NextProtos:   []string{"h2", "http/1.1"},
 		RootCAs:      aCertPool,
@@ -94,7 +92,7 @@ func TestDefaultLDAP_Parallel(t *testing.T) {
 	actual := ptls.DefaultLDAP(aCertPool)
 	expected := &tls.Config{
 		MinVersion:   tls.VersionTLS12,
-		MaxVersion:   tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
+		MaxVersion:   tls.VersionTLS13,
 		CipherSuites: expectedFIPSCipherSuites,
 		NextProtos:   []string{"h2", "http/1.1"},
 		RootCAs:      aCertPool,
@@ -110,10 +108,8 @@ func TestSecure_Parallel(t *testing.T) {
 	actual := ptls.Secure(aCertPool)
 	expected := &tls.Config{
-		// goboring does not currently support TLS 1.3, so where we would normally require it by making it the
+		MinVersion:   tls.VersionTLS12, // allow TLS 1.2 in FIPS mode
-		// min version for the secure profile, we cannot do that in FIPS mode
+		MaxVersion:   tls.VersionTLS13,
 		MinVersion:   tls.VersionTLS12,
 		MaxVersion:   tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
 		CipherSuites: expectedFIPSCipherSuites,
 		NextProtos:   []string{"h2", "http/1.1"},
 		RootCAs:      aCertPool,
@@ -135,10 +131,8 @@ func TestSecureServing_Parallel(t *testing.T) {
 	require.Equal(t, options.SecureServingOptionsWithLoopback{
 		SecureServingOptions: &options.SecureServingOptions{
-			CipherSuites: expectedFIPSCipherSuiteNames,
+			CipherSuites:  expectedFIPSCipherSuiteNames,
-			// goboring does not currently support TLS 1.3, so where we would normally require it by making it the
+			MinTLSVersion: "VersionTLS12", // allow TLS 1.2 in FIPS mode
 			// min version for secure serving for aggregated API servers, we cannot do that in FIPS mode
 			MinTLSVersion: "VersionTLS12",
 		},
 	}, *opts)
 }