Merge pull request #573 from jkh52/backport-cve-release-0.1

[release-0.1] Backport CVE fixes.

artifacts/images/agent-build.Dockerfile

@@ -1,5 +1,5 @@
 # Build the proxy-agent binary
-FROM golang:1.20.10 as builder
+FROM golang:1.20.12 as builder
 
 # Copy in the go src
 WORKDIR /go/src/sigs.k8s.io/apiserver-network-proxy

artifacts/images/server-build.Dockerfile

@@ -1,5 +1,5 @@
 # Build the proxy-server binary
-FROM golang:1.20.10 as builder
+FROM golang:1.20.12 as builder
 
 # Copy in the go src
 WORKDIR /go/src/sigs.k8s.io/apiserver-network-proxy

artifacts/images/test-client-build.Dockerfile

@@ -1,5 +1,5 @@
 # Build the client binary
-FROM golang:1.20.10 as builder
+FROM golang:1.20.12 as builder
 
 # Copy in the go src
 WORKDIR /go/src/sigs.k8s.io/apiserver-network-proxy

artifacts/images/test-server-build.Dockerfile

@@ -1,5 +1,5 @@
 # Build the http test server binary
-FROM golang:1.20.10 as builder
+FROM golang:1.20.12 as builder
 
 # Copy in the go src
 WORKDIR /go/src/sigs.k8s.io/apiserver-network-proxy

go.mod

@@ -11,8 +11,8 @@ require (
 	github.com/stretchr/testify v1.8.1
 	go.uber.org/goleak v1.2.1
 	golang.org/x/net v0.17.0
-	google.golang.org/grpc v1.51.0
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/grpc v1.56.3
+	google.golang.org/protobuf v1.30.0
 	k8s.io/api v0.27.4
 	k8s.io/apimachinery v0.27.4
 	k8s.io/client-go v0.27.4
@@ -24,7 +24,7 @@ require (
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
@@ -51,13 +51,13 @@ require (
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

konnectivity-client/go.mod

@@ -1,28 +1,28 @@
 module sigs.k8s.io/apiserver-network-proxy/konnectivity-client
 
-go 1.17
+go 1.20
 
 // Prefer to keep requirements compatible with the oldest supported
 // k/k minor version, to prevent client backport issues.
 require (
 	github.com/prometheus/client_golang v1.11.1
 	go.uber.org/goleak v1.2.0
 	golang.org/x/net v0.17.0 // indirect
-	google.golang.org/grpc v1.40.0
-	google.golang.org/protobuf v1.27.1
+	google.golang.org/grpc v1.56.3
+	google.golang.org/protobuf v1.30.0
 	k8s.io/klog/v2 v2.0.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/go-logr/logr v0.1.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.26.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 )

tests/proxy_test.go

@@ -268,7 +268,7 @@ func TestProxyHandle_RequestDeadlineExceeded_GRPC(t *testing.T) {
 
 	func() {
 		// Ensure that tunnels aren't leaked with long-running servers.
-		defer goleak.VerifyNone(t, goleak.IgnoreCurrent())
+		defer goleak.VerifyNone(t, goleak.IgnoreCurrent(), goleak.IgnoreTopFunction("google.golang.org/grpc.(*addrConn).resetTransport"))
 
 		// run test client
 		tunnel, err := client.CreateSingleUseGrpcTunnel(context.Background(), proxy.front, grpc.WithInsecure())
@@ -329,7 +329,7 @@ func TestProxyDial_RequestCancelled_GRPC(t *testing.T) {
 
 	func() {
 		// Ensure that tunnels aren't leaked with long-running servers.
-		defer goleak.VerifyNone(t, goleak.IgnoreCurrent())
+		defer goleak.VerifyNone(t, goleak.IgnoreCurrent(), goleak.IgnoreTopFunction("google.golang.org/grpc.(*addrConn).resetTransport"))
 
 		// run test client
 		tunnel, err := client.CreateSingleUseGrpcTunnel(context.Background(), proxy.front, grpc.WithInsecure())
@@ -423,7 +423,10 @@ func TestProxyDial_RequestCancelled_Concurrent_GRPC(t *testing.T) {
 	}
 
 	// Ensure that tunnels aren't leaked with long-running servers.
-	ignoredGoRoutines := goleak.IgnoreCurrent()
+	ignoredGoRoutines := []goleak.Option{
+		goleak.IgnoreCurrent(),
+		goleak.IgnoreTopFunction("google.golang.org/grpc.(*addrConn).resetTransport"),
+	}
 
 	const concurrentConns = 50
 	wg.Add(concurrentConns)
@@ -437,7 +440,7 @@ func TestProxyDial_RequestCancelled_Concurrent_GRPC(t *testing.T) {
 	var endpointConnsErr, goLeaksErr error
 	wait.PollImmediate(time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
 		endpointConnsErr = metricstest.ExpectAgentEndpointConnections(0)
-		goLeaksErr = goleak.Find(ignoredGoRoutines)
+		goLeaksErr = goleak.Find(ignoredGoRoutines...)
 		return endpointConnsErr == nil && goLeaksErr == nil, nil
 	})
 
@@ -467,7 +470,7 @@ func TestProxyDial_AgentTimeout_GRPC(t *testing.T) {
 
 	func() {
 		// Ensure that tunnels aren't leaked with long-running servers.
-		defer goleak.VerifyNone(t, goleak.IgnoreCurrent())
+		defer goleak.VerifyNone(t, goleak.IgnoreCurrent(), goleak.IgnoreTopFunction("google.golang.org/grpc.(*addrConn).resetTransport"))
 
 		// run test client
 		tunnel, err := client.CreateSingleUseGrpcTunnel(context.Background(), proxy.front, grpc.WithInsecure())
@@ -1069,7 +1072,7 @@ func expectCleanShutdown(t testing.TB) {
 	resetAllMetrics()
 	currentGoRoutines := goleak.IgnoreCurrent()
 	t.Cleanup(func() {
-		goleak.VerifyNone(t, currentGoRoutines)
+		goleak.VerifyNone(t, currentGoRoutines, goleak.IgnoreTopFunction("google.golang.org/grpc.(*addrConn).resetTransport"))
 		assertNoClientDialFailures(t)
 		assertNoServerDialFailures(t)
 		assertNoAgentDialFailures(t)