Skip to content

[VC-45029] Upgrade all the Go dependencies in preparation for a release #722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wallrj-cyberark merged 10 commits into from
Sep 18, 2025
Merged

[VC-45029] Upgrade all the Go dependencies in preparation for a release #722

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0e2efad
build(deps): update the vcert Go module dependency to latest version
wallrj-cyberark Sep 18, 2025
5cbd8f2
build(deps): update the k8s.io Go module dependencies
wallrj-cyberark Sep 18, 2025
826db10
build(deps): update controller-runtime, cel-go, cel.dev/expr, k8s deps
wallrj-cyberark Sep 18, 2025
6d8d847
build(deps): upgrade github.com/spf13/cobra to v1.10.1
wallrj-cyberark Sep 18, 2025
d78f75b
build(deps): update cenkalti/backoff to v5.0.3
wallrj-cyberark Sep 18, 2025
5d2b9e1
build(deps): upgrade golang.org/x/sync to v0.17.0
wallrj-cyberark Sep 18, 2025
dc556de
build(deps): update Prometheus, Testify, protobuf and related modules
wallrj-cyberark Sep 18, 2025
2e5513e
build(deps): update venafi-connection-lib to v0.5.0 in go.mod and go.sum
wallrj-cyberark Sep 18, 2025
e9b2515
make generate
wallrj-cyberark Sep 18, 2025
13ec7f0
docs: update release process with Go dependency upgrade steps
wallrj-cyberark Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions LICENSES
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@ github.com/google/btree,Apache-2.0
github.com/google/cel-go,Apache-2.0
github.com/google/cel-go,BSD-3-Clause
github.com/google/gnostic-models,Apache-2.0
github.com/google/go-cmp/cmp,BSD-3-Clause
github.com/google/uuid,BSD-3-Clause
github.com/gorilla/css/scanner,BSD-3-Clause
github.com/gorilla/websocket,BSD-2-Clause
Expand Down Expand Up @@ -100,6 +99,8 @@ go.opentelemetry.io/otel,Apache-2.0
go.opentelemetry.io/otel/trace,Apache-2.0
go.uber.org/multierr,MIT
go.uber.org/zap,MIT
go.yaml.in/yaml/v2,Apache-2.0
go.yaml.in/yaml/v3,MIT
golang.org/x/crypto,BSD-3-Clause
golang.org/x/exp,BSD-3-Clause
golang.org/x/net,BSD-3-Clause
Expand Down Expand Up @@ -139,8 +140,7 @@ sigs.k8s.io/controller-runtime/pkg,Apache-2.0
sigs.k8s.io/json,Apache-2.0
sigs.k8s.io/json,BSD-3-Clause
sigs.k8s.io/randfill,Apache-2.0
sigs.k8s.io/structured-merge-diff/v4,Apache-2.0
sigs.k8s.io/structured-merge-diff/v6,Apache-2.0
sigs.k8s.io/yaml,MIT
sigs.k8s.io/yaml,Apache-2.0
sigs.k8s.io/yaml,BSD-3-Clause
sigs.k8s.io/yaml/goyaml.v2,Apache-2.0
36 changes: 26 additions & 10 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,38 +15,54 @@ The release process is semi-automated.
> - Create a draft GitHub release,
> - Upload the Helm chart tarball to the GitHub release.

1. Open the [tests GitHub Actions workflow][tests-workflow]
1. Upgrade the Go dependencies.

You will need to install `go-mod-upgrade`:

```bash
go install github.com/oligot/go-mod-upgrade@latest
```

Then, run the following:

```bash
go-mod-upgrade
make generate
```

Finally, create a PR with the changes and merge it.
Copy link
Copy Markdown
Contributor Author

@wallrj-cyberark wallrj-cyberark Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what I'm doing in this PR.


2. Open the [tests GitHub Actions workflow][tests-workflow]
and verify that it succeeds on the master branch.

2. Run govulncheck:
3. Run govulncheck:
```bash
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck -v ./...
make verify-govulncheck
Copy link
Copy Markdown
Contributor Author

@wallrj-cyberark wallrj-cyberark Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The verify-govulncheck was fixed recently, to allow it run when there non-opensource Go modules in use:

$ make verify-govulncheck
Running 'GOTOOLCHAIN=go1.25.1 _bin/tools/govulncheck ./...' in directory '.'
No vulnerabilities found.

```

3. Create a tag for the new release:
4. Create a tag for the new release:
```sh
export VERSION=v1.1.0
git tag --annotate --message="Release ${VERSION}" "${VERSION}"
git push origin "${VERSION}"
```

4. Wait until the GitHub Actions finishes.
5. Wait until the GitHub Actions finishes.

5. Navigate to the GitHub Releases page and select the draft release to edit.
6. Navigate to the GitHub Releases page and select the draft release to edit.
1. Click on “Generate release notes” to automatically compile the changelog.
2. Review and refine the generated notes to ensure they’re clear and useful
for end users.
3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update
docs,” or similar internal changes that do not impact user functionality.

6. Publish the release.
7. Publish the release.

7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been
8. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been
released. Make sure to share any breaking change that may affect `venctl connect`
or `venctl generate`.

8. Inform Michael McLoughlin of the new release so he can update the
9. Inform Michael McLoughlin of the new release so he can update the
documentation at <https://docs.venafi.cloud/>.

[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster
Expand Down
208 changes: 206 additions & 2 deletions deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
controller-gen.kubebuilder.io/version: v0.18.0
name: venaficonnections.jetstack.io
spec:
group: jetstack.io
Expand Down Expand Up @@ -94,6 +94,210 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
firefly:
properties:
accessToken:
description: |-
The list of steps to retrieve the Access Token that will be used to connect
to Firefly.
items:
properties:
hashicorpVaultLDAP:
description: |-
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in
the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It
then fetches the requested secrets from Vault for use in the next step.
properties:
ldapPath:
description: |-
The full HTTP path to the secret in Vault. Example:
/v1/ldap/static-cred/:role_name
or
/v1/ldap/creds/:role_name
type: string
url:
description: The URL to connect to your HashiCorp Vault
instance.
type: string
required:
- ldapPath
type: object
hashicorpVaultOAuth:
description: |-
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource
step to provide an OAuth token, which this step uses to authenticate to
Vault. The output of this step is a Vault token. This step allows you to use
the step `HashicorpVaultSecret` afterwards.
properties:
authInputType:
description: |-
AuthInputType is the authentication method to be used to authenticate
with HashiCorp Vault. The only supported value is "OIDC".
enum:
- OIDC
type: string
authPath:
description: |-
The login URL used for obtaining the Vault token. Example:
/v1/auth/oidc/login
type: string
clientId:
description: 'Deprecated: This field does nothing and
will be removed in the future.'
type: string
role:
description: |-
The role defined in Vault that we want to use when authenticating to
Vault.
type: string
url:
description: The URL to connect to your HashiCorp Vault
instance.
type: string
required:
- authInputType
- authPath
- role
type: object
hashicorpVaultSecret:
description: |-
HashicorpVaultSecret is a SecretSource step that requires a Vault token in
the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It
then fetches the requested secrets from Vault for use in the next step.
properties:
fields:
description: |-
The fields are Vault keys pointing to the secrets passed to the next
SecretSource step.

Example 1 (TPP, username and password): imagining that you have stored
the username and password for TPP under the keys "username" and
"password", you will want to set this field to `["username",
"password"]`. The username is expected to be given first, the password
second.
items:
type: string
type: array
secretPath:
description: |-
The full HTTP path to the secret in Vault. Example:
/v1/secret/data/application-team-a/tpp-username-password
type: string
url:
description: The URL to connect to your HashiCorp Vault
instance.
type: string
required:
- fields
- secretPath
type: object
secret:
description: |-
Secret is a SecretSource step meant to be the first step. It retrieves secret
values from a Kubernetes Secret, and passes them to the next step.
properties:
fields:
description: |-
The names of the fields we want to extract from the Kubernetes secret.
These fields are passed to the next step in the chain.
items:
type: string
type: array
name:
description: The name of the Kubernetes secret.
type: string
required:
- fields
- name
type: object
serviceAccountToken:
description: |-
ServiceAccountToken is a SecretSource step meant to be the first step. It
uses the Kubernetes TokenRequest API to retrieve a token for a given service
account, and passes it to the next step.
properties:
audiences:
description: |-
Audiences are the intendend audiences of the token. A recipient of a
token must identify themself with an identifier in the list of
audiences of the token, and otherwise should reject the token. A
token issued for multiple audiences may be used to authenticate
against any of the audiences listed but implies a high degree of
trust between the target audiences.
items:
type: string
type: array
expirationSeconds:
description: |-
ExpirationSeconds is the requested duration of validity of the request. The
token issuer may return a token with a different validity duration so a
client needs to check the 'expiration' field in a response.
format: int64
type: integer
name:
description: The name of the Kubernetes service account.
type: string
required:
- audiences
- name
type: object
tppOAuth:
description: |-
TPPOAuth is a SecretSource step that authenticates to a TPP server. This
step is meant to be the last step and requires a prior step that depends
on the `authInputType`.
properties:
authInputType:
description: |-
AuthInputType is the authentication method to be used to authenticate
with TPP. The supported values are "UsernamePassword" and "JWT".
enum:
- UsernamePassword
- JWT
type: string
clientId:
description: ClientID is the clientId used to authenticate
with TPP.
type: string
url:
description: |-
The URL to connect to the Venafi TPP instance. The two URLs
https://tpp.example.com and https://tpp.example.com/vedsdk are
equivalent. The ending `/vedsdk` is optional and is stripped out
by our client.
If not set, defaults to the URL defined at the top-level of the
TPP configuration.
type: string
required:
- authInputType
type: object
vcpOAuth:
description: |-
VCPOAuth is a SecretSource step that authenticates to the Venafi Control
Plane. This step is meant to be the last step and requires a prior step
that outputs a JWT token.
properties:
tenantID:
description: TenantID is the tenant ID used to authenticate
with VCP.
type: string
type: object
type: object
x-kubernetes-validations:
- message: must have exactly one field set
rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken)
? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret)
? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth)
? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1'
maxItems: 50
type: array
x-kubernetes-list-type: atomic
url:
description: The URL to connect to the Venafi Firefly instance.
type: string
required:
- url
type: object
tpp:
properties:
accessToken:
Expand Down Expand Up @@ -1117,7 +1321,7 @@ spec:
- message: 'must have exactly ONE of the following fields set: tpp or
vcp'
rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp)
? 1 : 0) == 1'
? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1'
status:
properties:
conditions:
Expand Down
Loading