Move to go 1.17

.circleci/config/commands/go_test.yml

@@ -14,7 +14,7 @@ parameters:
     default: false
   go_image:
     type: string
-    default: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    default: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   use_docker:
     type: boolean
     default: false

.circleci/config/executors/@executors.yml

@@ -3,7 +3,7 @@ go-machine:
   shell: /usr/bin/env bash -euo pipefail -c
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
-    GO_VERSION: 1.16.7  # Pin Go to patch version (ex: 1.2.3)
+    GO_VERSION: 1.17.2  # Pin Go to patch version (ex: 1.2.3)
     GOTESTSUM_VERSION: 0.5.2  # Pin gotestsum to patch version (ex: 1.2.3)
     GO_TAGS: ""
   working_directory: /go/src/github.com/hashicorp/vault
@@ -25,23 +25,23 @@ alpine:
 docker-env-go-test-remote-docker:
   resource_class: medium
   docker:
-    - image: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    - image: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
     GO_TAGS: ""
   working_directory: /go/src/github.com/hashicorp/vault
 docker-env-go-test:
   resource_class: large
   docker:
-    - image: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    - image: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
     GO_TAGS: ""
   working_directory: /go/src/github.com/hashicorp/vault
 docker-env-go-test-race:
   resource_class: xlarge
   docker:
-    - image: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    - image: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
     GO_TAGS: ""

Makefile

@@ -15,7 +15,7 @@ EXTERNAL_TOOLS=\
 GOFMT_FILES?=$$(find . -name '*.go' | grep -v pb.go | grep -v vendor)
 
 
-GO_VERSION_MIN=1.16.7
+GO_VERSION_MIN=1.17.2
 GO_CMD?=go
 CGO_ENABLED?=0
 ifneq ($(FDB_ENABLED), )

README.md

@@ -72,7 +72,7 @@ Developing Vault
 
 If you wish to work on Vault itself or any of its built-in systems, you'll
 first need [Go](https://www.golang.org) installed on your machine. Go version
-1.16.7+ is *required*.
+1.17.2+ is *required*.
 
 For local dev first make sure Go is properly installed, including setting up a
 [GOPATH](https://golang.org/doc/code.html#GOPATH). Ensure that `$GOPATH/bin` is in

builtin/credential/approle/path_role.go

@@ -18,6 +18,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
 	"github.com/hashicorp/vault/sdk/helper/tokenutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	k8snet "k8s.io/utils/net"
 )
 
 // roleStorageEntry stores all the options that are set on an role
@@ -818,6 +819,14 @@ func (b *backend) roleEntry(ctx context.Context, s logical.Storage, roleName str
 		needsUpgrade = true
 	}
 
+	for i, cidr := range role.SecretIDBoundCIDRs {
+		_, ipn, err := k8snet.ParseCIDRSloppy(cidr)
+		if err != nil {
+			return nil, fmt.Errorf("error decoding SecretIDBoundCIDRs field of role storage entry: %w", err)
+		}
+		role.SecretIDBoundCIDRs[i] = ipn.String()
+	}
+
 	if role.TokenPeriod == 0 && role.Period > 0 {
 		role.TokenPeriod = role.Period
 	}

builtin/credential/approle/validation.go

@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	k8snet "k8s.io/utils/net"
 )
 
 // secretIDStorageEntry represents the information stored in storage
@@ -110,6 +111,39 @@ func (b *backend) secretIDAccessorLock(secretIDAccessor string) *locksutil.LockE
 	return locksutil.LockForKey(b.secretIDAccessorLocks, secretIDAccessor)
 }
 
+func decodeSecretIDStorageEntry(entry *logical.StorageEntry) (*secretIDStorageEntry, error) {
+	result := secretIDStorageEntry{}
+	if err := entry.DecodeJSON(&result); err != nil {
+		return nil, err
+	}
+
+	cleanup := func(in []string) ([]string, error) {
+		var out []string
+		for _, s := range in {
+			_, ipn, err := k8snet.ParseCIDRSloppy(s)
+			if err != nil {
+				return nil, err
+			}
+			out = append(out, ipn.String())
+		}
+		return out, nil
+	}
+
+	cidrList, err := cleanup(result.CIDRList)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding CIDRList field of secretid storage entry: %w", err)
+	}
+	result.CIDRList = cidrList
+
+	tokenCidrList, err := cleanup(result.TokenBoundCIDRs)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding TokenBoundCIDRs field of secretid storage entry: %w", err)
+	}
+	result.TokenBoundCIDRs = tokenCidrList
+
+	return &result, nil
+}
+
 // nonLockedSecretIDStorageEntry fetches the secret ID properties from physical
 // storage. The entry will be indexed based on the given HMACs of both role
 // name and the secret ID. This method will not acquire secret ID lock to fetch
@@ -134,8 +168,8 @@ func (b *backend) nonLockedSecretIDStorageEntry(ctx context.Context, s logical.S
 		return nil, nil
 	}
 
-	result := secretIDStorageEntry{}
-	if err := entry.DecodeJSON(&result); err != nil {
+	result, err := decodeSecretIDStorageEntry(entry)
+	if err != nil {
 		return nil, err
 	}
 
@@ -154,12 +188,12 @@ func (b *backend) nonLockedSecretIDStorageEntry(ctx context.Context, s logical.S
 	}
 
 	if persistNeeded {
-		if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleSecretIDPrefix, roleNameHMAC, secretIDHMAC, &result); err != nil {
+		if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleSecretIDPrefix, roleNameHMAC, secretIDHMAC, result); err != nil {
 			return nil, fmt.Errorf("failed to upgrade role storage entry %w", err)
 		}
 	}
 
-	return &result, nil
+	return result, nil
 }
 
 // nonLockedSetSecretIDStorageEntry creates or updates a secret ID entry at the

builtin/logical/ssh/util.go

@@ -13,11 +13,11 @@ import (
 	"strings"
 	"time"
 
+	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/vault/sdk/logical"
-
-	log "github.com/hashicorp/go-hclog"
 	"golang.org/x/crypto/ssh"
+	k8snet "k8s.io/utils/net"
 )
 
 // Creates a new RSA key pair with the given key length. The private key will be
@@ -142,11 +142,11 @@ func cidrListContainsIP(ip, cidrList string) (bool, error) {
 		return false, fmt.Errorf("IP does not belong to role")
 	}
 	for _, item := range strings.Split(cidrList, ",") {
-		_, cidrIPNet, err := net.ParseCIDR(item)
+		_, cidrIPNet, err := k8snet.ParseCIDRSloppy(item)
 		if err != nil {
 			return false, fmt.Errorf("invalid CIDR entry %q", item)
 		}
-		if cidrIPNet.Contains(net.ParseIP(ip)) {
+		if cidrIPNet.Contains(k8snet.ParseIPSloppy(ip)) {
 			return true, nil
 		}
 	}

changelog/12868.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+core: build with Go 1.17, and mitigate a breaking change they made that could impact how approle and ssh interpret IPs/CIDRs
+```