Fork Sync: Update from parent repository

.github/workflows/build.yaml

@@ -27,10 +27,14 @@ jobs:
       - name: Run static checks
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
         with:
-          version: v2.1.6
+          version: v2.5.0
           # use our .golangci.yml
           args: --config=.golangci.yml --verbose
           skip-cache: true
+      - name: Run the slowg linter
+        run: |
+          go install github.com/cilium/linters@latest
+          linters -slowg ./...
       - name: govulncheck
         uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee
         with:

.golangci.yml

@@ -9,45 +9,62 @@ linters:
     - asciicheck
     - bidichk
     - bodyclose
+    - containedctx
     - contextcheck
     - copyloopvar
     - decorder
+    - dogsled
+    - dupl
     - dupword
     - durationcheck
     - err113
     - errchkjson
     - errname
+    - errorlint
+    - exhaustive
     - exptostd
+    - forbidigo
+    - forcetypeassert
     - gocheckcompilerdirectives
+    - goconst
     - gocritic
+    - godoclint
+    - godot
     - goheader
+    - gomodguard
     - goprintffuncname
     - gosec
     - govet
+    - grouper
     - importas
     - ineffassign
     - interfacebloat
     - intrange
+    - iotamixing
+    - ireturn
     - makezero
     - mirror
     - misspell
     - musttag
     - nakedret
+    - nestif
     - nilerr
+    - nilnil
     - noctx
     - nosprintfhostport
     - perfsprint
+    - prealloc
     - predeclared
     - promlinter
     - protogetter
     - reassign
     - revive
-    - rowserrcheck
     - sloglint
-    - sqlclosecheck
     - staticcheck
     - tagalign
     - testifylint
+    - thelper
+    - tparallel
     - unconvert
     - unparam
     - unused
@@ -59,9 +76,42 @@ linters:
       disabled-checks:
         - exitAfterDefer
         - singleCaseSwitch
+    godoclint:
+      default: all
+      disable:
+        - require-pkg-doc
+      options:
+        require-doc:
+          # Ignore unexported (private) symbols when applying the `require-doc` rule.
+          ignore-unexported: true
     goheader:
       template-path: ./HEADER
+    gomodguard:
+      blocked:
+        modules:
+          - github.com/goccy/go-yaml:
+              recommendations:
+                - go.yaml.in/yaml/v3
+              reason: "Let's consolidate on a single YAML library that is also used by most of our dependencies"
+          - gopkg.in/yaml.v2:
+              recommendations:
+                - go.yaml.in/yaml/v3
+              reason: "gopkg.in/yaml.v2 is unmaintained"
+          - gopkg.in/yaml.v3:
+              recommendations:
+                - go.yaml.in/yaml/v3
+              reason: "gopkg.in/yaml.v3 is unmaintained"
+          - go.uber.org/multierr:
+              recommendations:
+                - errors
+              reason: "Go 1.20+ has support for combining multiple errors, see https://go.dev/doc/go1.20#errors"
+          - go.yaml.in/yaml/v2:
+              recommendations:
+                - go.yaml.in/yaml/v3
+              reason: "We are using v3"
     gosec:
+      # available rules: https://github.com/securego/gosec#available-rules
+      includes: [] # include all available rules
       excludes:
         - G104 # Audit errors not checked
         - G307 # Deferring a method which returns an error
@@ -88,7 +138,15 @@ linters:
         - name: package-comments
           disabled: true
     sloglint:
+      no-mixed-args: true
+      no-global: all
       static-msg: true
+      key-naming-case: kebab # be consistent with key names
+      forbidden-keys: # let's no use reserved log keys
+        - level
+        - msg
+        - source
+        - time
   exclusions:
     rules:
       - linters:
@@ -100,3 +158,14 @@ formatters:
   enable:
     - gofmt
     - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/cilium/certgen/
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable (default is 50)
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable (default is 3)
+  max-same-issues: 0

Dockerfile

@@ -1,8 +1,8 @@
 # (first line comment needed for DOCKER_BUILDKIT use)
 #
 # use skopeo inspect to get the multiarch manifest list digest
-# skopeo inspect --override-os linux docker://golang:1.24.5-alpine3.22 | jq -r '.Digest'
-ARG GOLANG_IMAGE=docker.io/library/golang:1.24.5-alpine3.22@sha256:daae04ebad0c21149979cd8e9db38f565ecefd8547cf4a591240dc1972cf1399
+# skopeo inspect --override-os linux docker://golang:1.25.3-alpine3.22 | jq -r '.Digest'
+ARG GOLANG_IMAGE=docker.io/library/golang:1.25.3-alpine3.22@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34
 
 ARG BASE_IMAGE=scratch
 

cmd/certgen.go

@@ -29,10 +29,9 @@ import (
 
 const binaryName = "cilium-certgen"
 
-var log = logging.DefaultLogger.With(slog.String(logfields.LogSubsys, binaryName))
-
 // New creates and returns a certgen command.
 func New() (*cobra.Command, error) {
+	log := logging.Logger.With(slog.String(logfields.LogSubsys, binaryName))
 	vp := viper.New()
 	rootCmd := &cobra.Command{
 		Use:           binaryName + " [flags]",
@@ -51,7 +50,7 @@ func New() (*cobra.Command, error) {
 				"version", version.Version,
 			)
 
-			if err := generateCertificates(); err != nil {
+			if err := generateCertificates(log); err != nil {
 				log.Error("failed to generate certificates", "error", err)
 			}
 		},
@@ -135,8 +134,8 @@ func parseCertificateConfigs(cfg, cfgfile string) (certConfigs option.Certificat
 	return certConfigs, nil
 }
 
-// generateCertificates runs the main code to generate and store certificate
-func generateCertificates() error {
+// generateCertificates runs the main code to generate and store certificate.
+func generateCertificates(log *slog.Logger) error {
 	k8sClient, err := k8sConfig(option.Config.K8sKubeConfigPath)
 	if err != nil {
 		return fmt.Errorf("failed initialize kubernetes client: %w", err)
@@ -152,15 +151,16 @@ func generateCertificates() error {
 
 	ca := generate.NewCA(option.Config.CASecretName, option.Config.CASecretNamespace)
 
-	if option.Config.CAGenerate {
-		err = ca.Generate(option.Config.CACommonName, option.Config.CAValidityDuration)
+	switch {
+	case option.Config.CAGenerate:
+		err = ca.Generate(log, option.Config.CACommonName, option.Config.CAValidityDuration)
 		if err != nil {
 			return fmt.Errorf("failed to generate CA: %w", err)
 		}
 		ctx, cancel := context.WithTimeout(context.Background(), option.Config.K8sRequestTimeout)
 		defer cancel()
 
-		err = ca.StoreAsSecret(ctx, k8sClient, !option.Config.CAReuseSecret)
+		err = ca.StoreAsSecret(ctx, log, k8sClient, !option.Config.CAReuseSecret)
 		if err != nil {
 			if !k8sErrors.IsAlreadyExists(err) || !option.Config.CAReuseSecret {
 				return fmt.Errorf("failed to create secret for CA: %w", err)
@@ -170,7 +170,7 @@ func generateCertificates() error {
 		} else {
 			count++
 		}
-	} else if option.Config.CACertFile != "" && option.Config.CAKeyFile != "" {
+	case option.Config.CACertFile != "" && option.Config.CAKeyFile != "":
 		log.Info("Loading CA from file")
 		err = ca.LoadFromFile(option.Config.CACertFile, option.Config.CAKeyFile)
 		if err != nil {
@@ -204,7 +204,7 @@ func generateCertificates() error {
 			cfg.Namespace,
 		).WithHosts(cfg.Hosts)
 
-		err := certs[i].Generate(ca)
+		err := certs[i].Generate(log, ca)
 		if err != nil {
 			return fmt.Errorf("failed to generate cert: %w", err)
 		}
@@ -219,7 +219,7 @@ func generateCertificates() error {
 
 		ctx, cancel := context.WithTimeout(context.Background(), option.Config.K8sRequestTimeout)
 		defer cancel()
-		if err := cert.StoreAsSecret(ctx, k8sClient); err != nil {
+		if err := cert.StoreAsSecret(ctx, log, k8sClient); err != nil {
 			return fmt.Errorf("failed to create secret: %w", err)
 		}
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/cilium/certgen
 
-go 1.24.5
+go 1.25.3
 
 require (
 	github.com/cloudflare/cfssl v1.6.5