sync with upstream & fix conflict

Signed-off-by: gang.liu <[email protected]>

.github/workflows/build_daily.yaml

@@ -13,7 +13,7 @@ permissions:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.22.1
 
 jobs:
   e2e-envoy-xds:
@@ -22,7 +22,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -58,7 +58,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -94,7 +94,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -133,7 +133,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)

.github/workflows/build_main.yaml

@@ -21,7 +21,7 @@ jobs:
       with:
         persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
       with:
         version: latest
     - name: Log in to GHCR

.github/workflows/build_tag.yaml

@@ -19,7 +19,7 @@ permissions:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.22.1
 
 jobs:
   build:
@@ -31,7 +31,7 @@ jobs:
       with:
         persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
       with:
         version: latest
     - name: Log in to GHCR
@@ -59,7 +59,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)

.github/workflows/codeql-analysis.yml

@@ -14,7 +14,7 @@ permissions:
 
 env:
   GOPROXY: https://proxy.golang.org/
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.22.1
 
 jobs:
   CodeQL-Build:
@@ -25,7 +25,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -41,11 +41,11 @@ jobs:
         cache: false
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         languages: go
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     - name: Autobuild
-      uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6

.github/workflows/label_check.yaml

@@ -47,7 +47,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)

.github/workflows/openssf-scorecard.yaml

@@ -37,6 +37,6 @@ jobs:
         name: SARIF file
         path: results.sarif
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif

.github/workflows/prbuild.yaml

@@ -14,7 +14,7 @@ permissions:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.22.1
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -29,7 +29,7 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
       with:
-        version: v1.55.2
+        version: v1.56.2
         # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077
         # is resolved
         args: --build-tags=e2e,conformance,gcp,oidc,none --out-format=colored-line-number
@@ -66,7 +66,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -105,7 +105,7 @@ jobs:
       with:
         persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
       with:
         version: latest
     - name: Build image
@@ -155,11 +155,11 @@ jobs:
       with:
         persist-credentials: false
     - name: Download image
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: image
         path: image
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -218,11 +218,11 @@ jobs:
         # recent release tag.
         fetch-depth: 0
     - name: Download image
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: image
         path: image
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -265,7 +265,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -284,12 +284,15 @@ jobs:
         ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin
         echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
     - name: test
+      env:
+        # TODO: remove once https://github.com/golang/go/issues/65653 is fixed
+        GOEXPERIMENT: nocoverageredesign
       run: |
         make install
         make check-coverage
     - name: codeCoverage
       if: ${{ success() }}
-      uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
+      uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: coverage.out
@@ -309,7 +312,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         persist-credentials: false
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Windows)
@@ -328,6 +331,9 @@ jobs:
         ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin
         echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
     - name: test
+      env:
+        # TODO: remove once https://github.com/golang/go/issues/65653 is fixed
+        GOEXPERIMENT: nocoverageredesign
       run: |
         make install
         make check-coverage
@@ -345,11 +351,11 @@ jobs:
       with:
         persist-credentials: false
     - name: Download image
-      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
       with:
         name: image
         path: image
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
       with:
         # * Module download cache
         # * Build cache (Linux)

.github/workflows/trivy-scan.yaml

@@ -27,14 +27,14 @@ jobs:
         with:
           persist-credentials: false
           ref: ${{ matrix.branch }}
-      - uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
+      - uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
           scanners: vuln
           scan-type: 'fs'
           format: 'sarif'
           output: 'trivy-results.sarif'
           ignore-unfixed: true
           severity: 'HIGH,CRITICAL'
-      - uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      - uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           sarif_file: 'trivy-results.sarif'

.golangci.yml

@@ -112,4 +112,7 @@ issues:
     linters: ["bodyclose"]
   - path: test/e2e
     linters: ["revive"]
-    text: "should not use dot imports"
+    text: "should not use dot imports"
+  - path: test/e2e
+    linters: ["testifylint"]
+    text: "require must only be used in the goroutine running the test function"

Makefile

@@ -12,7 +12,7 @@ GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{pri
 # Used to supply a local Envoy docker container an IP to connect to that is running
 # 'contour serve'. On MacOS this will work, but may not on other OSes. Defining
 # LOCALIP as an env var before running 'make local' will solve that.
-LOCALIP ?= $(shell ifconfig | grep inet | grep -v '::' | grep -v 127.0.0.1 | head -n1 | awk '{print $$2}')
+LOCALIP ?= $(shell ifconfig | grep inet | grep -v '::' | grep -v 'inet 127.' | head -n1 | awk '{print $$2}')
 
 # Variables needed for running e2e tests.
 CONTOUR_E2E_LOCAL_HOST ?= $(LOCALIP)
@@ -44,7 +44,7 @@ endif
 IMAGE_PLATFORMS ?= linux/amd64,linux/arm64
 
 # Base build image to use.
-BUILD_BASE_IMAGE ?= golang:1.21.6@sha256:acab8ef05990e50fe0bc8446398d93d91fa89b3608661529dbd6744b77fcea90
+BUILD_BASE_IMAGE ?= golang:1.22.1@sha256:34ce21a9696a017249614876638ea37ceca13cdd88f582caad06f87a8aa45bf3
 
 # Enable build with CGO.
 BUILD_CGO_ENABLED ?= 0

changelogs/unreleased/6230-yangyy93-small.md

@@ -0,0 +1 @@
+Fix for specifying a health check port with an ExternalName Service.

changelogs/unreleased/6246-skriss-small.md

@@ -0,0 +1 @@
+Updates the example `envoyproxy/ratelimit` image tag to `19f2079f`, for multi-arch support and other improvements.

changelogs/unreleased/6250-skriss-small.md

@@ -0,0 +1 @@
+In the `envoy` go-control-plane xDS server, use a separate snapshot cache for Endpoints, to minimize the amount of unnecessary xDS traffic generated.

changelogs/unreleased/6265-sunjayBhatia-small.md

@@ -0,0 +1 @@
+Updates to Go 1.22.1. See the [Go release notes](https://go.dev/doc/devel/release#go1.22.minor) for more information.

cmd/contour/certgen_test.go

@@ -274,7 +274,7 @@ func TestOutputFileMode(t *testing.T) {
 
 			require.NoError(t, OutputCerts(tc.cc, nil, generatedCerts))
 
-			err = filepath.Walk(outputDir, func(path string, info os.FileInfo, err error) error {
+			err = filepath.Walk(outputDir, func(path string, info os.FileInfo, _ error) error {
 				if !info.IsDir() {
 					assert.Equal(t, os.FileMode(0o600), info.Mode(), "incorrect mode for file "+path)
 				}

cmd/contour/serve.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	"github.com/alecthomas/kingpin/v2"
-	envoy_cache_v3 "github.com/envoyproxy/go-control-plane/pkg/cache/v3"
 	envoy_server_v3 "github.com/envoyproxy/go-control-plane/pkg/server/v3"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/sirupsen/logrus"
@@ -510,11 +509,7 @@ func (s *Server) doServe() error {
 	var snapshotHandler *xdscache_v3.SnapshotHandler
 
 	if contourConfiguration.XDSServer.Type == contour_v1alpha1.EnvoyServerType {
-		snapshotHandler = xdscache_v3.NewSnapshotHandler(
-			resources,
-			envoy_cache_v3.NewSnapshotCache(false, &contour_xds_v3.Hash, s.log.WithField("context", "snapshotCache")),
-			s.log.WithField("context", "snapshotHandler"),
-		)
+		snapshotHandler = xdscache_v3.NewSnapshotHandler(resources, s.log.WithField("context", "snapshotHandler"))
 
 		// register observer for endpoints updates.
 		endpointHandler.SetObserver(contour.ComposeObservers(snapshotHandler))
@@ -918,7 +913,7 @@ func (x *xdsServer) Start(ctx context.Context) error {
 	log := x.log.WithField("context", "xds")
 
 	log.Info("waiting for the initial dag to be built")
-	if err := wait.PollUntilContextCancel(ctx, initialDagBuildPollPeriod, true, func(ctx context.Context) (done bool, err error) {
+	if err := wait.PollUntilContextCancel(ctx, initialDagBuildPollPeriod, true, func(context.Context) (done bool, err error) {
 		return x.initialDagBuilt(), nil
 	}); err != nil {
 		return fmt.Errorf("failed to wait for initial dag build, %w", err)
@@ -929,7 +924,7 @@ func (x *xdsServer) Start(ctx context.Context) error {
 
 	switch x.config.Type {
 	case contour_v1alpha1.EnvoyServerType:
-		contour_xds_v3.RegisterServer(envoy_server_v3.NewServer(ctx, x.snapshotHandler.SnapshotCache, contour_xds_v3.NewRequestLoggingCallbacks(log)), grpcServer)
+		contour_xds_v3.RegisterServer(envoy_server_v3.NewServer(ctx, x.snapshotHandler.GetCache(), contour_xds_v3.NewRequestLoggingCallbacks(log)), grpcServer)
 	case contour_v1alpha1.ContourServerType:
 		contour_xds_v3.RegisterServer(contour_xds_v3.NewContourServer(log, xdscache.ResourcesOf(x.resources)...), grpcServer)
 	default:

cmd/contour/servecontext_test.go

@@ -232,7 +232,7 @@ func TestServeContextCertificateHandling(t *testing.T) {
 			}
 			if err == nil {
 				expectedCert, _ := tc.serverCredentials.X509Certificate()
-				assert.Equal(t, receivedCert, &expectedCert)
+				assert.Equal(t, &expectedCert, receivedCert)
 			}
 		})
 	}

cmd/contour/shutdownmanager.go

@@ -154,7 +154,7 @@ func (s *shutdownContext) shutdownHandler() {
 		Duration: 200 * time.Millisecond,
 		Factor:   5.0,
 		Jitter:   0.1,
-	}, func(err error) bool {
+	}, func(error) bool {
 		// Always retry any error.
 		return true
 	}, func() error {

examples/ratelimit/02-ratelimit.yaml

@@ -44,7 +44,7 @@ spec:
             - name: REDIS_URL
               value: redis:6379
         - name: ratelimit
-          image: docker.io/envoyproxy/ratelimit:8d6488ea  # latest a/o Mar 24 2022
+          image: docker.io/envoyproxy/ratelimit:19f2079f  # latest a/o Mar 5 2024
           ports:
             - containerPort: 8080
               name: http
@@ -83,7 +83,7 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 5
       volumes:
-        - name: ratelimit-config  
+        - name: ratelimit-config
           configMap:
             name: ratelimit-config