build(deps): bump google.golang.org/grpc from 1.65.0 to 1.67.1 (#6697)

* build(deps): bump google.golang.org/grpc from 1.65.0 to 1.67.1 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.65.0 to 1.67.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.65.0...v1.67.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * lazy loading tls config in grpc server needs to set h2 ALPN Signed-off-by: Sunjay Bhatia <[email protected]> * lint fix Signed-off-by: Sunjay Bhatia <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Sunjay Bhatia <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sunjay Bhatia <[email protected]>
projectcontour · Oct 21, 2024 · 5bc6dc9 · 5bc6dc9
1 parent 057093f
commit 5bc6dc9
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 54 deletions.
diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/sirupsen/logrus"
+	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/keepalive"
@@ -209,6 +210,7 @@ func tlsconfig(log logrus.FieldLogger, contourXDSTLS *contour_v1alpha1.TLS) *tls
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    certPool,
 			MinVersion:   tls.VersionTLS13,
+			NextProtos:   []string{http2.NextProtoTLS},
 		}, nil
 	}
 

diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go
@@ -14,6 +14,7 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
@@ -24,8 +25,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/tsaarni/certyaml"
+	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
 	"k8s.io/utils/ptr"
 
@@ -152,7 +156,7 @@ func TestServeContextCertificateHandling(t *testing.T) {
 
 	caCertPool := x509.NewCertPool()
 	ca, err := trustedCACert.X509Certificate()
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 	caCertPool.AddCert(&ca)
 
 	tests := map[string]struct {
@@ -184,7 +188,7 @@ func TestServeContextCertificateHandling(t *testing.T) {
 
 	// Create temporary directory to store certificates and key for the server.
 	configDir, err := os.MkdirTemp("", "contour-testdata-")
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 	defer os.RemoveAll(configDir)
 
 	contourTLS := &contour_v1alpha1.TLS{
@@ -197,41 +201,41 @@ func TestServeContextCertificateHandling(t *testing.T) {
 	// Initial set of credentials must be written into temp directory before
 	// starting the tests to avoid error at server startup.
 	err = trustedCACert.WritePEM(contourTLS.CAFile, filepath.Join(configDir, "CAkey.pem"))
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 	err = contourCertBeforeRotation.WritePEM(contourTLS.CertFile, contourTLS.KeyFile)
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 
 	// Start a dummy server.
 	log := fixture.NewTestLogger(t)
 	opts := grpcOptions(log, contourTLS)
 	g := grpc.NewServer(opts...)
-	if g == nil {
-		t.Error("failed to create server")
-	}
+	require.NotNil(t, g)
 
-	address := "localhost:8001"
-	l, err := net.Listen("tcp", address)
-	checkFatalErr(t, err)
+	l, err := net.Listen("tcp", "localhost:")
+	require.NoError(t, err)
+	address := l.Addr().String()
 
 	go func() {
-		err := g.Serve(l)
-		checkFatalErr(t, err)
+		// If server fails to start, connecting to it below will fail so
+		// can ignore the error.
+		_ = g.Serve(l)
 	}()
 	defer g.GracefulStop()
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			// Store certificate and key to temp dir used by serveContext.
 			err = tc.serverCredentials.WritePEM(contourTLS.CertFile, contourTLS.KeyFile)
-			checkFatalErr(t, err)
-			clientCert, _ := tc.clientCredentials.TLSCertificate()
+			require.NoError(t, err)
+			clientCert, err := tc.clientCredentials.TLSCertificate()
+			require.NoError(t, err)
 			receivedCert, err := tryConnect(address, clientCert, caCertPool)
-			gotError := err != nil
-			if gotError != tc.expectError {
-				t.Errorf("Unexpected result when connecting to the server: %s", err)
-			}
-			if err == nil {
-				expectedCert, _ := tc.serverCredentials.X509Certificate()
+			if tc.expectError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				expectedCert, err := tc.serverCredentials.X509Certificate()
+				require.NoError(t, err)
 				assert.Equal(t, &expectedCert, receivedCert)
 			}
 		})
@@ -242,7 +246,7 @@ func TestTlsVersionDeprecation(t *testing.T) {
 	// To get tls.Config for the gRPC XDS server, we need to arrange valid TLS certificates and keys.
 	// Create temporary directory to store them for the server.
 	configDir, err := os.MkdirTemp("", "contour-testdata-")
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 	defer os.RemoveAll(configDir)
 
 	caCert := certyaml.Certificate{
@@ -261,46 +265,43 @@ func TestTlsVersionDeprecation(t *testing.T) {
 	}
 
 	err = caCert.WritePEM(contourTLS.CAFile, filepath.Join(configDir, "CAkey.pem"))
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 	err = contourCert.WritePEM(contourTLS.CertFile, contourTLS.KeyFile)
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 
 	// Get preliminary TLS config from the serveContext.
 	log := fixture.NewTestLogger(t)
 	preliminaryTLSConfig := tlsconfig(log, contourTLS)
 
 	// Get actual TLS config that will be used during TLS handshake.
 	tlsConfig, err := preliminaryTLSConfig.GetConfigForClient(nil)
-	checkFatalErr(t, err)
+	require.NoError(t, err)
 
 	assert.Equal(t, tlsConfig.MinVersion, uint16(tls.VersionTLS13))
 }
 
-func checkFatalErr(t *testing.T, err error) {
-	t.Helper()
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
 // tryConnect tries to establish TLS connection to the server.
 // If successful, return the server certificate.
 func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.CertPool) (*x509.Certificate, error) {
+	rawConn, err := net.Dial("tcp", address)
+	if err != nil {
+		rawConn.Close()
+		return nil, errors.Wrapf(err, "error dialing %s", address)
+	}
+
 	clientConfig := &tls.Config{
 		ServerName:   "localhost",
 		MinVersion:   tls.VersionTLS13,
 		Certificates: []tls.Certificate{clientCert},
 		RootCAs:      caCertPool,
+		NextProtos:   []string{http2.NextProtoTLS},
 	}
-	conn, err := tls.Dial("tcp", address, clientConfig)
-	if err != nil {
-		return nil, err
-	}
+
+	conn := tls.Client(rawConn, clientConfig)
 	defer conn.Close()
 
-	err = peekError(conn)
-	if err != nil {
-		return nil, err
+	if err := peekError(conn); err != nil {
+		return nil, errors.Wrap(err, "error peeking TLS alert")
 	}
 
 	return conn.ConnectionState().PeerCertificates[0], nil
@@ -311,12 +312,12 @@ func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.Cer
 // To receive alert for bad certificate, this function tries to read one byte.
 // Adapted from https://golang.org/src/crypto/tls/handshake_client_test.go
 func peekError(conn net.Conn) error {
-	_ = conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
+	if err := conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)); err != nil {
+		return err
+	}
 	_, err := conn.Read(make([]byte, 1))
-	if err != nil {
-		if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() {
-			return err
-		}
+	if err != nil && !errors.Is(err, context.DeadlineExceeded) {
+		return err
 	}
 	return nil
 }

diff --git a/go.mod b/go.mod
@@ -20,6 +20,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/onsi/ginkgo/v2 v2.20.2
 	github.com/onsi/gomega v1.34.2
+	github.com/pkg/errors v0.9.1
 	github.com/projectcontour/yages v0.1.0
 	github.com/prometheus/client_golang v1.20.4
 	github.com/prometheus/client_model v0.6.1
@@ -29,10 +30,11 @@ require (
 	github.com/tsaarni/certyaml v0.9.3
 	github.com/vektra/mockery/v2 v2.46.0
 	go.uber.org/automaxprocs v1.6.0
+	golang.org/x/net v0.29.0
 	golang.org/x/oauth2 v0.23.0
 	gonum.org/v1/plot v0.14.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.67.1
 	google.golang.org/protobuf v1.35.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.31.1
@@ -48,7 +50,7 @@ require (
 )
 
 require (
-	cel.dev/expr v0.15.0 // indirect
+	cel.dev/expr v0.16.0 // indirect
 	git.sr.ht/~sbinet/gg v0.5.0 // indirect
 	github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
@@ -57,7 +59,7 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chigopher/pathlib v0.19.1 // indirect
-	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
+	github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
@@ -106,7 +108,6 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -127,7 +128,6 @@ require (
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/net v0.29.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/term v0.24.0 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w=
-cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
+cel.dev/expr v0.16.0 h1:yloc84fytn4zmJX2GU3TkXGsaieaV7dQ057Qs4sIG2Y=
+cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -83,8 +83,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw=
-github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg=
+github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -728,8 +728,8 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo=
-google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=