Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move to go 1.17 #12868

Merged
merged 15 commits into from Oct 21, 2021
Merged

Move to go 1.17 #12868

merged 15 commits into from Oct 21, 2021

Conversation

ncabatoff
Copy link
Contributor

In addition to the obvious changes, address some fallout from a breaking change (see https://golang.org/doc/go1.17#net):

  • ssh roles store CIDRList and ExcludeCIDRList as-is based on provided input in role update requests; they are subsequently parsed during creds generation via validateIP, which will return an error if the original CIDRs contain multiple leading zeroes.

  • similarly with approle and the secretID fields cidr_list, token_bound_cidrs

@ncabatoff ncabatoff requested a review from a team October 19, 2021 15:18
benashz
benashz approved these changes Oct 19, 2021
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 16:23 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 16:23 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 16:28 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 16:28 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 16:42 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 16:42 Inactive
hghaf099
hghaf099 approved these changes Oct 19, 2021
View reviewed changes
Copy link
Contributor

@hghaf099 hghaf099 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ncabatoff
Copy link
Contributor Author

Stripping leading zeroes still isn't quite right, the new 1.17 behaviour is to error when a leading zero is present in a non-zero component. So 0.0.0.0 is fine, but 1.01.1.1 isn't.

@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 17:47 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 17:47 Inactive
@ncabatoff ncabatoff changed the title Move to go 1.17 WIP Move to go 1.17 Oct 19, 2021
vishalnayak
vishalnayak reviewed Oct 19, 2021
View reviewed changes
builtin/credential/approle/path_role.go Outdated
if err != nil {
return nil, fmt.Errorf("error decoding SecretIDBoundCIDRs field of role storage entry: %w", err)
}
role.SecretIDBoundCIDRs[i] = ipn.String()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the case but still asking this for confirmation. I assume that you intentionally left out setting needsUpgrade, with the rationale that we don't necessarily need to fix this in storage, as we fix things with every read? (same case with ssh engine)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, though I'm open to discussing it. This is me being a bit cautious, since atm even if we migrated all the bad data, we'd still have to keep this code around indefinitely unless we started mandating stepwise upgrades. Given that, I didn't see any reason to take the extra risk of re-writing the records; if there's a bug somewhere, at least we won't damage the data, and once we release a fixed version they can move forward without any manual remediation.

@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 14:22 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 14:22 Inactive
@ncabatoff
Merge branch 'main' into adopt-go-1.17
5c1456e 
# Conflicts:
#	go.mod
#	go.sum
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 14:30 Inactive
@ncabatoff
Try upgrading docker lib to see if that fixes the build error we're s…
800ba99 
…eeing on "github.com/docker/docker/pkg/archive"
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 15:00 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 15:00 Inactive
benashz
benashz reviewed Oct 20, 2021
View reviewed changes
helper/parseip/parseip.go Outdated Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 15:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 15:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 15:45 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 15:45 Inactive
benashz
benashz reviewed Oct 20, 2021
View reviewed changes
helper/parseip/parseip_test.go Show resolved Hide resolved
helper/parseip/parseip.go Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 17:24 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 17:24 Inactive
@ncabatoff
Copy link
Contributor Author

I did some manual testing by writing an approle role using 1.8.3:

  564  ./root auth enable approle
  565  ./root write auth/approle/role/testrole secret_id_bound_cidrs=127.0.0.01/24,10.001.10.0/16
  566  ./root read auth/approle/role/testrole

Then upgraded the cluster and:

./root read -field=secret_id_bound_cidrs auth/approle/role/testrole 
[127.0.0.1/24 10.1.10.0/16]

./root read -format=json auth/approle/role/testrole |jq -cr .data.secret_id_bound_cidrs
["127.0.0.1/24","10.1.10.0/16"]

@ncabatoff
Merge branch 'main' into adopt-go-1.17
473712a 
# Conflicts:
#	go.mod
#	go.sum
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 17:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 17:54 Inactive
@ncabatoff
Reverted to main's go.mod, since I brought some changes over from my …
9f40c18 
…attempt at this PR in ent, and some of those changes were causing problems.
@vercel vercel bot temporarily deployed to Preview – vault October 20, 2021 19:08 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 20, 2021 19:08 Inactive
@ncabatoff ncabatoff changed the title WIP Move to go 1.17 Move to go 1.17 Oct 20, 2021
swayne275
swayne275 reviewed Oct 20, 2021
View reviewed changes
Copy link
Contributor

@swayne275 swayne275 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

at some point we might want to run tooling to upgrade all the +build to go:build https://golang.org/doc/go1.17

@vercel vercel bot temporarily deployed to Preview – vault-storybook October 21, 2021 13:03 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 21, 2021 13:03 Inactive
@ncabatoff ncabatoff merged commit 69f874b into main Oct 21, 2021
@ncabatoff ncabatoff deleted the adopt-go-1.17 branch October 21, 2021 13:32
@rgevaert rgevaert mentioned this pull request Nov 19, 2021
Closed
qk4l pushed a commit to qk4l/vault that referenced this pull request Feb 4, 2022
@ncabatoff
Move to go 1.17 (hashicorp#12868)
3d922fb 
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishalnayak vishalnayak vishalnayak left review comments

@benashz benashz benashz approved these changes

@swayne275 swayne275 swayne275 approved these changes

@hghaf099 hghaf099 hghaf099 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ncabatoff @vishalnayak @swayne275 @benashz @hghaf099