Update crypto to v0.31.0-v1.15.x

[ashishb-solo]

Description

Update golang.org/x/crypto to address CVE.

In the process, I had to update all k8s.io libraries from v0.27.3 to v0.27.16. See this comment for details (specifically, the penultimate paragraph).

API changes

Code changes

CI changes

Docs changes

Context

Interesting decisions

Testing steps

Notes for reviewers

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[solo-changelog-bot]

Issues linked to changelog:
#10432

[ashishb-solo]

Here's where I currently stand on this:

When I try to update crypto to v1.31.0, I get this error during codegen (taken from this run):

Error: /home/runner/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:683:33: cannot use doc (variable of type *"github.com/google/gnostic-models/openapiv2".Document) as *"github.com/google/gnostic/openapiv2".Document value in argument to swagger.FromGnostic
# sigs.k8s.io/kustomize/kyaml/openapi
Error: /home/runner/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:683:33: cannot use doc (variable of type *"github.com/google/gnostic-models/openapiv2".Document) as *"github.com/google/gnostic/openapiv2".Document value in argument to swagger.FromGnostic
Error: prog.go:12:2: no required module provides package github.com/golang/mock/mockgen/model: go.mod file not found in current directory or any parent directory; see 'go help modules'
Error: prog.go:14:2: no required module provides package github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install: go.mod file not found in current directory or any parent directory; see 'go help modules'
2024/12/18 18:36:45 Loading input failed: exit status 1
projects/gloo/cli/pkg/cmd/install/helm_client.go:27: running "mockgen": exit status 1
make: *** [Makefile:247: go-generate-all] Error 1

In order to fix it, I think we need to update our libraries such that that we no longer depend github.com/google/gnostic. While v1.15.x has both gnostic and gnostic-models in go.mod, v1.16.x and later do not - they only have gnostic-models. So my guess at the moment is that we need to update whatever library is bringing gnostic in as a transient dependency, which appears to be client-go:

$ go mod why -m github.com/google/gnostic
# github.com/google/gnostic
github.com/solo-io/gloo/projects/gateway/pkg/api/v1/kube/client/clientset/versioned
k8s.io/client-go/discovery
github.com/google/gnostic/openapiv2

Right now, on v1.15.x we have it pinned to v0.27.3. On 1.16.x, these dependencies are on v0.28.x which does not seem to have the problematic gnostic dependency (pull request for reference). However, I doubt that we want to update v1.15.x to support kubernetes v0.28.x, so I don't think we want to do exactly what is going on in that pull request.

But perhaps instead we could see if updating client-go to a later version of v0.27.x would work? I have been trying it and running into roadblocks so far, but that might just be user error. I want to continue pursuing this in the short-term and see if I can break through this wall.

Another alternative is that we could ignore this vulnerability. During stand-up earlier this week, @nfuden mentioned that we don't use the function that is causing this CVE in crypto, so we may not be vulnerable to it. We might want to consider this if updating v1.15.x is too hard.