bump go to 1.25, move tools into go tools where possible

Author: AshleyDumaine

Makefile

@@ -7,8 +7,6 @@ CACHE_BIN               ?= $(CURDIR)/bin
 LOCALBIN                ?= $(CACHE_BIN)
 
 DEVBOX_BIN              ?= $(DEVBOX_PACKAGES_DIR)/bin
-HELM                    ?= $(LOCALBIN)/helm
-HELM_VERSION            ?= v3.16.3
 
 #####################################################################
 # Dev Setup
@@ -31,7 +29,6 @@ LINODE_URL              ?= https://api.linode.com
 KUBECONFIG_PATH         ?= $(CURDIR)/test-cluster-kubeconfig.yaml
 SUBNET_KUBECONFIG_PATH	?= $(CURDIR)/subnet-testing-kubeconfig.yaml
 MGMT_KUBECONFIG_PATH    ?= $(CURDIR)/mgmt-cluster-kubeconfig.yaml
-GOLANGCI_LINT_VERSION   ?= v2.1.5
 
 # if the $DEVBOX_PACKAGES_DIR env variable exists that means we are within a devbox shell and can safely
 # use devbox's bin for our tools
@@ -48,6 +45,12 @@ export GO111MODULE=on
 .PHONY: all
 all: build
 
+## --------------------------------------
+## Cleanup
+## --------------------------------------
+
+##@ Cleanup:
+
 .PHONY: clean
 clean:
 	@go clean .
@@ -56,32 +59,55 @@ clean:
 	@rm -rf $(RELEASE_DIR)
 	@rm -rf $(LOCALBIN)
 
-.PHONY: codegen
-codegen:
-	go generate ./...
+## --------------------------------------
+## Development
+## --------------------------------------
+
+##@ Development:
+
+.PHONY: fmt
+fmt: ## Run go fmt against code.
+	go fmt ./...
 
 .PHONY: vet
-vet: fmt
+vet: ## Run go vet against code.
 	go vet ./...
 
+.PHONY: gosec
+gosec: tools ## Run gosec against code.
+	gosec -exclude-dir=bin -exclude-generated ./...
+
 .PHONY: lint
-lint:
-	docker run --rm -w /workdir -v $(PWD):/workdir golangci/golangci-lint:$(GOLANGCI_LINT_VERSION) golangci-lint run -c .golangci.yml --fix
+lint: tools ## Run lint against code.
+	golangci-lint run -c .golangci.yml
 
-.PHONY: gosec
-gosec: ## Run gosec against code.
-	docker run --rm -v "$(PWD):/var/work:ro" -w /var/work securego/gosec:2.19.0 \
-		-exclude-dir=bin -exclude-generated ./...
+.PHONY: nilcheck
+nilcheck: tools ## Run nil check against code.
+	go list ./... | xargs -I {} -d '\n' nilaway -include-pkgs {} -exclude-file-docstrings "ignore_autogenerated" ./...
 
-.PHONY: fmt
-fmt:
-	go fmt ./...
+.PHONY: vulncheck
+vulncheck: tools ## Run vulnerability check against code.
+	govulncheck ./...
+
+.PHONY: codegen
+codegen:
+	go generate ./...
+
+## --------------------------------------
+## Testing
+## --------------------------------------
+
+##@ Testing:
 
 .PHONY: test
 # we say code is not worth testing unless it's formatted
 test: fmt codegen
 	go test -v -coverpkg=./sentry,./cloud/linode/client,./cloud/linode,./cloud/linode/utils,./cloud/linode/services,./cloud/nodeipam,./cloud/nodeipam/ipam -coverprofile ./coverage.out -cover ./sentry/... ./cloud/... $(TEST_ARGS)
 
+## --------------------------------------
+## Build
+## --------------------------------------
+
 .PHONY: build-linux
 build-linux: codegen
 	echo "cross compiling linode-cloud-controller-manager for linux/amd64" && \
@@ -142,21 +168,21 @@ run-debug: build
 #####################################################################
 
 .PHONY: mgmt-and-capl-cluster
-mgmt-and-capl-cluster: docker-setup mgmt-cluster capl-cluster
+mgmt-and-capl-cluster: tools docker-setup mgmt-cluster capl-cluster
 
 .PHONY: capl-cluster
-capl-cluster: generate-capl-cluster-manifests create-capl-cluster patch-linode-ccm
+capl-cluster: tools generate-capl-cluster-manifests create-capl-cluster patch-linode-ccm
 
 .PHONY: generate-capl-cluster-manifests
-generate-capl-cluster-manifests:
+generate-capl-cluster-manifests: tools
 	# Create the CAPL cluster manifests without any CSI driver stuff
 	LINODE_FIREWALL_ENABLED=$(LINODE_FIREWALL_ENABLED) LINODE_OS=$(LINODE_OS) VPC_NAME=$(VPC_NAME) clusterctl generate cluster $(CLUSTER_NAME) \
 		--kubernetes-version $(K8S_VERSION) --infrastructure linode-linode:$(CAPL_VERSION) \
 		--control-plane-machine-count $(CONTROLPLANE_NODES) --worker-machine-count $(WORKER_NODES) > $(MANIFEST_NAME).yaml
 	yq -i e 'select(.kind == "LinodeVPC").spec.subnets = [{"ipv4": "10.0.0.0/8", "label": "default"}, {"ipv4": "172.16.0.0/16", "label": "testing"}]' $(MANIFEST_NAME).yaml
 
 .PHONY: create-capl-cluster
-create-capl-cluster:
+create-capl-cluster: tools
 	# Create a CAPL cluster with updated CCM and wait for it to be ready
 	kubectl apply -f $(MANIFEST_NAME).yaml
 	kubectl wait --for=condition=ControlPlaneReady cluster/$(CLUSTER_NAME) --timeout=600s || (kubectl get cluster -o yaml; kubectl get linodecluster -o yaml; kubectl get linodemachines -o yaml)
@@ -167,14 +193,14 @@ create-capl-cluster:
 	KUBECONFIG=$(KUBECONFIG_PATH) kubectl taint nodes -l node-role.kubernetes.io/control-plane node-role.kubernetes.io/control-plane-
 
 .PHONY: patch-linode-ccm
-patch-linode-ccm:
+patch-linode-ccm: tools
 	KUBECONFIG=$(KUBECONFIG_PATH) kubectl patch -n kube-system daemonset ccm-linode --type='json' -p="[{'op': 'replace', 'path': '/spec/template/spec/containers/0/image', 'value': '${IMG}'}]"
 	KUBECONFIG=$(KUBECONFIG_PATH) kubectl patch -n kube-system daemonset ccm-linode --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "LINODE_API_VERSION", "value": "v4beta"}}]'
 	KUBECONFIG=$(KUBECONFIG_PATH) kubectl rollout status -n kube-system daemonset/ccm-linode --timeout=600s
 	KUBECONFIG=$(KUBECONFIG_PATH) kubectl -n kube-system get daemonset/ccm-linode -o yaml
 
 .PHONY: mgmt-cluster
-mgmt-cluster:
+mgmt-cluster: tools
 	# Create a mgmt cluster
 	ctlptl apply -f e2e/setup/ctlptl-config.yaml
 	clusterctl init \
@@ -188,14 +214,14 @@ mgmt-cluster:
 	kind get kubeconfig --name=caplccm > $(MGMT_KUBECONFIG_PATH)
 
 .PHONY: cleanup-cluster
-cleanup-cluster:
+cleanup-cluster: tools
 	kubectl delete cluster -A --all --timeout=180s
 	kubectl delete linodefirewalls -A --all --timeout=60s
 	kubectl delete lvpc -A --all --timeout=60s
 	kind delete cluster -n caplccm
 
 .PHONY: e2e-test
-e2e-test:
+e2e-test: tools
 	CLUSTER_NAME=$(CLUSTER_NAME) \
 	MGMT_KUBECONFIG=$(MGMT_KUBECONFIG_PATH) \
 	KUBECONFIG=$(KUBECONFIG_PATH) \
@@ -205,7 +231,7 @@ e2e-test:
 	chainsaw test e2e/test --parallel 2 $(E2E_FLAGS)
 
 .PHONY: e2e-test-bgp
-e2e-test-bgp:
+e2e-test-bgp: tools
 	KUBECONFIG=$(KUBECONFIG_PATH) CLUSTER_SUFFIX=$(CLUSTER_NAME) ./e2e/setup/cilium-setup.sh
 	KUBECONFIG=$(KUBECONFIG_PATH) kubectl -n kube-system rollout status daemonset/ccm-linode --timeout=300s
 	CLUSTER_NAME=$(CLUSTER_NAME) \
@@ -217,7 +243,7 @@ e2e-test-bgp:
 		chainsaw test e2e/bgp-test/lb-cilium-bgp $(E2E_FLAGS)
 
 .PHONY: e2e-test-subnet
-e2e-test-subnet: 
+e2e-test-subnet: tools
 	# Generate cluster manifests for second cluster
 	SUBNET_NAME=testing CLUSTER_NAME=$(SUBNET_CLUSTER_NAME) MANIFEST_NAME=$(SUBNET_MANIFEST_NAME) VPC_NAME=$(CLUSTER_NAME) \
 		VPC_NETWORK_CIDR=172.16.0.0/16 K8S_CLUSTER_CIDR=172.16.64.0/18 make generate-capl-cluster-manifests
@@ -255,6 +281,25 @@ else ifeq ($(ARCH_SHORT),aarch64)
 ARCH_SHORT := arm64
 endif
 
+## --------------------------------------
+## Tooling Binaries
+## --------------------------------------
+
+##@ Tooling Binaries:
+HELM                    ?= $(LOCALBIN)/helm
+
+## Tool Versions
+CLUSTERCTL_VERSION       ?= v1.11.1
+KUBECTL_VERSION          ?= v1.28.0
+CHAINSAW_VERSION         ?= v0.2.13
+HELM_VERSION             ?= v3.16.3
+
+.PHONY: tools
+tools: $(CLUSTERCTL) $(KUBECTL)
+	go install tool
+##@ we can't manage this with go tools because it causes a panic due to missing CRDs when running chainsaw
+	go install github.com/kyverno/chainsaw@$(CHAINSAW_VERSION)
+
 .PHONY: helm
 helm: $(HELM) ## Download helm locally if necessary
 $(HELM): $(LOCALBIN)
@@ -273,3 +318,16 @@ helm-template: helm
 #Verify template works when region and apiToken are passed, and when it is passed as reference.
 	@$(HELM) template foo deploy/chart --set apiToken="apiToken",region="us-east" > /dev/null
 	@$(HELM) template foo deploy/chart --set secretRef.apiTokenRef="apiToken",secretRef.name="api",secretRef.regionRef="us-east" > /dev/null
+
+.PHONY: kubectl
+kubectl: $(KUBECTL) ## Download kubectl locally if necessary.
+$(KUBECTL): $(LOCALBIN)
+	curl -fsSL https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/$(OS)/$(ARCH_SHORT)/kubectl -o $(KUBECTL)
+	chmod +x $(KUBECTL)
+
+
+.PHONY: clusterctl
+clusterctl: $(CLUSTERCTL) ## Download clusterctl locally if necessary.
+$(CLUSTERCTL): $(LOCALBIN)
+	curl -fsSL https://github.com/kubernetes-sigs/cluster-api/releases/download/$(CLUSTERCTL_VERSION)/clusterctl-$(OS)-$(ARCH_SHORT) -o $(CLUSTERCTL)
+	chmod +x $(CLUSTERCTL)

cloud/annotations/annotations.go

@@ -16,6 +16,7 @@ const (
 	AnnLinodeHealthCheckInterval = "service.beta.kubernetes.io/linode-loadbalancer-check-interval"
 	AnnLinodeHealthCheckTimeout  = "service.beta.kubernetes.io/linode-loadbalancer-check-timeout"
 	AnnLinodeHealthCheckAttempts = "service.beta.kubernetes.io/linode-loadbalancer-check-attempts"
+	//gosec:disable G101 -- This is a false positive
 	AnnLinodeHealthCheckPassive  = "service.beta.kubernetes.io/linode-loadbalancer-check-passive"
 
 	AnnLinodeUDPCheckPort = "service.beta.kubernetes.io/linode-loadbalancer-udp-check-port"

cloud/linode/cloud.go

@@ -22,6 +22,7 @@ import (
 const (
 	// The name of this cloudprovider
 	ProviderName           = "linode"
+	//gosec:disable G101 -- This is a false positive
 	accessTokenEnv         = "LINODE_API_TOKEN"
 	regionEnv              = "LINODE_REGION"
 	ciliumLBType           = "cilium-bgp"

devbox.json

@@ -1,18 +1,12 @@
 {
   "packages": [
-    "ctlptl@latest",
-    "clusterctl@latest",
-    "docker@latest",
-    "envsubst@latest",
-    "[email protected]",
-    "golangci-lint@latest",
-    "jq@latest",
-    "kind@latest",
-    "kubectl@latest",
-    "kustomize@latest",
-    "kyverno-chainsaw@latest",
-    "mockgen@latest",
-    "yq-go@latest"
+    "[email protected]",
+    "[email protected]",
+    "[email protected]",
+    "[email protected]",
+    "[email protected]",
+    "[email protected]",
+    "[email protected]"
   ],
   "shell": {
     "init_hook": [