Release 1.15 (#2619)

* restore node update permission to master until image tag can be updated (#2513)

* Merge branch 'release-1.14' (#2517)

* network policies update to readme (#2478)

* init draft of network policy desc

* add security note

* fixup

* fixup

* fix placeholder link

* Update manifest for cni 1.14 (#2526)

* Mimic VPC-RC limit struture (#2516)

* limits api pkg (#2528)

* Update kops tests for 1.28 and fix generate-cni-yaml script (#2536)

* skip IPAMD events test (#2537)

* chore: remove refs to deprecated io/ioutil (#2541)

* Change default Node Agent ports for health and metrics (#2545)

* remove self-managed node group from pod-eni test suite (#2547)

* bump controller runtime to 0.16.1 (#2548)

Co-authored-by: Joseph Chen <[email protected]>

* update agent image (#2554)

* fix(chart): Switch base64 encoded cniConfig.fileContents to the binaryData (#2552)

* Update the use of privileged flag in aws-vpc-cni manifest (#2555)

* increment default Calico version for helm compatibility (#2560)

* update nginx image (#2561)

* Only metrics (#2557)

Prometheus metrics for capturing ENI IP usage and no available IP address errors

Co-authored-by: Lindsay Hanks <[email protected]>

* CHANGELOG, chart, and manifest updates for VPC CNI v1.15.0 release (#2563)

* remove calico test suite from weekly integration tests (#2559)

* remove addon-tests integration suite as it is no longer needed (#2564)

* Only metrics (#2569)

* rename warm pool metrics

---------

Co-authored-by: Lindsay Hanks <[email protected]>

* Fix unused version variable (#2566)

* Update example table 'Pod per Prefixes' value (#2573)

* Bandwidth plugin with NP is currently unsupported (#2572)

* Bandwidth plugin with NP

* Messaging review

* pass CNINode scheme to client only (#2570)

* reduce api calls (#2575)

* Add region flag to describe-addon command (#2576)

* add ENABLE_V4_EGRESS (#2577)

* Add test registry parameter for ipv6 and CNI full tests (#2585)

* update golang image (#2586)

* increase time for service readiness (#2587)

* do not patch CNINode for custom networking unless podENI is enabled (#2591)

* Remove self-managed node group from custom-networking suite (#2590)

* remove self-managed node group from custom-networking suite

* Select CNI manifest based on regions (#2593)

* Update metrics helper image url based on region (#2604)

* dependabot updates (#2605)

* Graceful termination for service connectivity tests (#2611)

* update CHANGELOG, charts, and manifests in master following v1.15.1 release (#2614)

* go module updates and golang builder image update (#2615)

* update Golang to 1.21.3 (#2616)

* Stricter dependency/security review (#2617)

* Stricter dependency/security review

Signed-off-by: Davanum Srinivas <[email protected]>

* move common things to a separate file

Signed-off-by: Davanum Srinivas <[email protected]>

---------

Signed-off-by: Davanum Srinivas <[email protected]>

* update actions for go 1.21 and fix deps action warnings (#2618)

---------

Signed-off-by: Davanum Srinivas <[email protected]>
Co-authored-by: Jay Deokar <[email protected]>
Co-authored-by: Geoffrey Cline <[email protected]>
Co-authored-by: Joseph Chen <[email protected]>
Co-authored-by: guangwu <[email protected]>
Co-authored-by: Joseph Chen <[email protected]>
Co-authored-by: Valentin Zayash <[email protected]>
Co-authored-by: lnhanks <[email protected]>
Co-authored-by: Lindsay Hanks <[email protected]>
Co-authored-by: 김은빈 <[email protected]>
Co-authored-by: Jayanth Varavani <[email protected]>
Co-authored-by: Davanum Srinivas <[email protected]>

.github/actions/govulncheck/action.yaml

@@ -0,0 +1,46 @@
+name: 'golang-govulncheck-action'
+description: 'Run govulncheck'
+inputs:
+  go-version-input:  # version of Go to use for govulncheck
+    description: 'Version of Go to use for govulncheck'
+    required: false
+  check-latest:
+    description: 'Set this option to true if you want the action to always check for the latest available Go version that satisfies the version spec'
+    required: false
+    default: false
+  cache:
+    description: 'Used to specify whether Go caching is needed. Set to true, if you would like to enable caching.'
+    required: false
+    default: true
+  go-package:
+    description: 'Go Package to scan with govulncheck'
+    required: false
+    default: './...'
+  work-dir:
+    description: 'Directory in which to run govulncheck'
+    required: false
+    default: '.'
+  repo-checkout:
+    description: "Checkout the repository"
+    required: false
+    default: true
+  go-version-file:
+    description: 'Path to the go.mod or go.work file.'
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - if: inputs.repo-checkout != false # only explicit false prevents repo checkout
+      uses: actions/checkout@v4
+    - uses: actions/[email protected]
+      with:
+        go-version: ${{ inputs.go-version-input }}
+        check-latest: ${{ inputs.check-latest }}
+        go-version-file: ${{ inputs.go-version-file }}
+        cache: ${{ inputs.cache }}
+    - name: Install govulncheck
+      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      shell: bash
+    - name: Run govulncheck
+      run: govulncheck -C ${{ inputs.work-dir }} ${{ inputs.go-package }}
+      shell: bash

.github/workflows/deps.yml

@@ -0,0 +1,39 @@
+name: "Dependency Review"
+on:
+  pull_request:
+    branches:
+      - "master"
+      - "release*"
+permissions:
+  contents: read
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v3
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - id: govulncheck
+        uses: ./.github/actions/govulncheck
+        with:
+          go-version-input: 1.21.3
+          go-version-file: go.mod
+          cache: false
+          repo-checkout: false
+      - id: govulncheck-tests-agent
+        uses: ./.github/actions/govulncheck
+        with:
+          go-version-input: 1.21.3
+          go-version-file: test/agent/go.mod
+          cache: false
+          repo-checkout: false

.github/workflows/integration-tests.yaml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

.github/workflows/nightly-cron-tests.yaml

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

.github/workflows/pr-automated-tests.yaml

@@ -1,14 +1,11 @@
 name: Automatic Pull Request test
-
 on:
   pull_request:
     branches:
       - "master"
       - "release*"
-
 permissions:
   contents: read
-
 jobs:
   unit-test:
     name: Unit test
@@ -19,17 +16,21 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Set up tools
         run: |
           go install golang.org/x/lint/golint@latest
           go install golang.org/x/tools/cmd/goimports@latest
+          # Install ginkgo version from go.mod
+          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
       - name: Run code checks
         run: |
           make check-format
           make vet
       - name: Build
         run: make build-linux
+      - name: Build tests
+        run: make build-test-binaries
       - name: Helm lint
         run: make helm-lint
       - name: Unit test
@@ -49,7 +50,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Build CNI images
         run: make multi-arch-cni-build
       - name: Build CNI Init images

.github/workflows/pr-manual-tests.yaml

@@ -29,7 +29,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

.github/workflows/release.yaml

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Generate CNI YAML
         run: make generate-cni-yaml
       - name: Create eks-charts PR

.github/workflows/weekly-cron-tests.yaml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

Makefile

@@ -22,7 +22,7 @@
 # VERSION is the source revision that executables and images are built from.
 VERSION ?= $(shell git describe --tags --always --dirty || echo "unknown")
 # GOLANG_IMAGE is the building golang container image used.
-GOLANG_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/golang:1.20.8-9-gcc-al2
+GOLANG_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/golang:1.21.3-4-gcc-al2
 # BASE_IMAGE_CNI is the base layer image for the primary AWS VPC CNI plugin container
 BASE_IMAGE_CNI ?= public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables:latest.2
 # BASE_IMAGE_CNI_INIT is the base layer image for the AWS VPC CNI init container

go.mod

@@ -1,11 +1,11 @@
 module github.com/aws/amazon-vpc-cni-k8s
 
-go 1.20
+go 1.21
 
 require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aws/amazon-vpc-cni-k8s/test/agent v0.0.0-20230907153600-f7672495a1d3
-	github.com/aws/amazon-vpc-resource-controller-k8s v1.3.0
+	github.com/aws/amazon-vpc-resource-controller-k8s v1.3.1
 	github.com/aws/aws-sdk-go v1.45.19
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.2.0
@@ -25,40 +25,41 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	github.com/vishvananda/netlink v1.2.1-beta.2
-	go.uber.org/zap v1.25.0
-	golang.org/x/net v0.13.0
-	golang.org/x/sys v0.12.0
+	go.uber.org/zap v1.26.0
+	golang.org/x/net v0.17.0
+	golang.org/x/sys v0.13.0
 	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v2 v2.4.0
-	helm.sh/helm/v3 v3.12.3
-	k8s.io/api v0.28.1
-	k8s.io/apimachinery v0.28.1
-	k8s.io/cli-runtime v0.28.1
-	k8s.io/client-go v0.28.1
-	sigs.k8s.io/controller-runtime v0.16.1
+	helm.sh/helm/v3 v3.13.1
+	k8s.io/api v0.28.2
+	k8s.io/apimachinery v0.28.2
+	k8s.io/cli-runtime v0.28.2
+	k8s.io/client-go v0.28.2
+	sigs.k8s.io/controller-runtime v0.16.2
 )
 
 require (
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Microsoft/hcsshim v0.11.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/containerd/containerd v1.7.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/containerd/containerd v1.7.6 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v23.0.1+incompatible // indirect
+	github.com/docker/cli v24.0.6+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v23.0.1+incompatible // indirect
+	github.com/docker/docker v24.0.6+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
@@ -70,7 +71,7 @@ require (
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-gorp/gorp/v3 v3.0.5 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.2.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
@@ -81,7 +82,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
@@ -110,22 +110,22 @@ require (
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/procfs v0.10.1 // indirect
-	github.com/rubenv/sql-migrate v1.3.1 // indirect
+	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
@@ -140,27 +140,27 @@ require (
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.9.3 // indirect
+	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.28.0 // indirect
-	k8s.io/apiserver v0.28.1 // indirect
-	k8s.io/component-base v0.28.1 // indirect
+	k8s.io/apiextensions-apiserver v0.28.2 // indirect
+	k8s.io/apiserver v0.28.2 // indirect
+	k8s.io/component-base v0.28.2 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/kubectl v0.27.3 // indirect
+	k8s.io/kubectl v0.28.2 // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
-	oras.land/oras-go v1.2.3 // indirect
+	oras.land/oras-go v1.2.4 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
@@ -170,12 +170,9 @@ require (
 
 replace gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 => gopkg.in/yaml.v3 v3.0.1
 
-replace golang.org/x/crypto => golang.org/x/crypto v0.11.0
+replace golang.org/x/crypto => golang.org/x/crypto v0.14.0
 
 // Containernetworking packages must remain pinned until VPC CNI moves to CNI spec 1.0.0
 replace github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1
 
 replace github.com/containernetworking/plugins => github.com/containernetworking/plugins v0.9.1
-
-// Using https://github.com/google/gnostic/pull/400 version until Helm updates k8s.io from 0.27.3 to 0.28+
-replace github.com/google/gnostic => github.com/google/gnostic v0.6.10-0.20230825200611-ee84fd2a9620