OCPBUGS-35525: update to go 1.21 and k8s.io mods to v0.29.2

[jluhrsen]

as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. this brings in 0.22:

❯ go list -m -mod=mod all | rg crypto
golang.org/x/crypto v0.16.0 => golang.org/x/crypto v0.17.0

this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated.

[0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] :
❯ git remote -v
origin https://go.googlesource.com/crypto (fetch) origin https://go.googlesource.com/crypto (push)
❯ git br

• (HEAD detached at v0.17.0) master
  ❯ git log -1
  commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0)
  Author: Roland Shoemaker [email protected]
  Date: Mon Nov 20 12:06:18 2023 -0800

  ssh: implement strict KEX protocol changes

  Implement the "strict KEX" protocol changes, as described in section
  1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).

  Namely this makes the following changes:
  * Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode.
  * When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset.

  Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.

  Fixes CVE-2023-48795 Fixes x/crypto/ssh: implement strict KEX protocol changes golang/go#64784

  Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
  Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
  Reviewed-by: Nicola Murino [email protected]
  Reviewed-by: Tatiana Bradley [email protected]
  TryBot-Result: Gopher Robot [email protected]
  Run-TryBot: Roland Shoemaker [email protected]
  Reviewed-by: Damien Neil [email protected]
  LUCI-TryBot-Result: Go LUCI [email protected]

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is invalid:

• expected the bug to target either version "4.16." or "openshift-4.16.", but it targets "4.15.z" instead
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
• expected Jira Issue OCPBUGS-35525 to depend on a bug targeting a version in 4.17.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. this brings in 0.22:

❯ go list -m -mod=mod all | rg crypto
golang.org/x/crypto v0.16.0 => golang.org/x/crypto v0.17.0

this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated.

[0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] :
❯ git remote -v
origin https://go.googlesource.com/crypto (fetch) origin https://go.googlesource.com/crypto (push)
❯ git br

• (HEAD detached at v0.17.0) master
  ❯ git log -1
  commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0)
  Author: Roland Shoemaker [email protected]
  Date: Mon Nov 20 12:06:18 2023 -0800

  ssh: implement strict KEX protocol changes

  Implement the "strict KEX" protocol changes, as described in section
  1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).

  Namely this makes the following changes:

  • Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode.
  • When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset.

  Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.

  Fixes CVE-2023-48795 Fixes x/crypto/ssh: implement strict KEX protocol changes golang/go#64784

  Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
  Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
  Reviewed-by: Nicola Murino [email protected]
  Reviewed-by: Tatiana Bradley [email protected]
  TryBot-Result: Gopher Robot [email protected]
  Run-TryBot: Roland Shoemaker [email protected]
  Reviewed-by: Damien Neil [email protected]
  LUCI-TryBot-Result: Go LUCI [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jluhrsen]

/jira refresh

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
• expected dependent Jira Issue OCPBUGS-35526 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead
• expected dependent Jira Issue OCPBUGS-35526 to target a version in 4.17.0, but it targets "4.17" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jluhrsen]

/jira refresh

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is invalid:

• expected dependent Jira Issue OCPBUGS-35526 to target a version in 4.17.0, but it targets "4.17" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jluhrsen]

/jira refresh

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.z) matches configured target version for branch (4.16.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-35526 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-35526 targets the "4.17.0" version, which is one of the valid target versions: 4.17.0
• bug has dependents

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ricky-rav]

/lgtm

[danwinship]

/approve
(mmm... look at that totally up-to-date OWNERS file)

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, jluhrsen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[danwinship]

/label backport-risk-assessed
(not sure I can do this here...)

[openshift-ci]

@danwinship: Can not set label backport-risk-assessed: Must be member in one of these teams: [openshift-patch-managers openshift-staff-engineers openshift-release-oversight]

In response to this:

/label backport-risk-assessed
(not sure I can do this here...)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[asood-rh]

/label cherry-pick-approved

[openshift-ci]

@jluhrsen: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jluhrsen: Jira Issue OCPBUGS-35525: All pull requests linked via external trackers have merged:

• openshift/egress-router-cni#85

Jira Issue OCPBUGS-35525 has been moved to the MODIFIED state.

In response to this:

as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. this brings in 0.22:

❯ go list -m -mod=mod all | rg crypto
golang.org/x/crypto v0.16.0 => golang.org/x/crypto v0.17.0

this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated.

[0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] :
❯ git remote -v
origin https://go.googlesource.com/crypto (fetch) origin https://go.googlesource.com/crypto (push)
❯ git br

• (HEAD detached at v0.17.0) master
  ❯ git log -1
  commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0)
  Author: Roland Shoemaker [email protected]
  Date: Mon Nov 20 12:06:18 2023 -0800

  ssh: implement strict KEX protocol changes

  Implement the "strict KEX" protocol changes, as described in section
  1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).

  Namely this makes the following changes:

  • Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode.
  • When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset.

  Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.

  Fixes CVE-2023-48795 Fixes x/crypto/ssh: implement strict KEX protocol changes golang/go#64784

  Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
  Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
  Reviewed-by: Nicola Murino [email protected]
  Reviewed-by: Tatiana Bradley [email protected]
  TryBot-Result: Gopher Robot [email protected]
  Run-TryBot: Roland Shoemaker [email protected]
  Reviewed-by: Damien Neil [email protected]
  LUCI-TryBot-Result: Go LUCI [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-egress-router-cni-container-v4.16.0-202407180206.p0.g7089efe.assembly.stream.el9 for distgit egress-router-cni.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.16.0-0.nightly-2024-07-19-103710