chore: minor updates

* bump Go version;
* update kres;
* fix linter warnings.

Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>

Author: AlekSi

.codecov.yml

@@ -1,18 +1,18 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-13T17:14:02Z by kres f4c4987.
+# Generated on 2021-05-20T11:41:34Z by kres latest.
 
 codecov:
-require_ci_to_pass: false
+  require_ci_to_pass: false
 
 coverage:
-status:
-  project:
-    default:
-      target: 50%
-      threshold: 0.5%
-      base: auto
-      if_ci_failed: success
-  patch: off
+  status:
+    project:
+      default:
+        target: 50%
+        threshold: 0.5%
+        base: auto
+        if_ci_failed: success
+    patch: off
 
 comment: false

.conform.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-11-11T19:39:46Z by kres latest.
+# Generated on 2021-05-20T11:41:34Z by kres latest.
 
 policies:
 - type: commit
@@ -28,6 +28,7 @@ policies:
       - .go
     excludeSuffixes:
       - .pb.go
+      - .pb.gw.go
     header: |
       // This Source Code Form is subject to the terms of the Mozilla Public
       // License, v. 2.0. If a copy of the MPL was not distributed with this

.golangci.yml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-13T17:14:02Z by kres f4c4987.
+# Generated on 2021-05-20T11:41:34Z by kres latest.
 
 
 # options for analysis running
@@ -75,8 +75,6 @@ linters-settings:
   lll:
     line-length: 200
     tab-width: 4
-  maligned:
-    suggest-new: true
   misspell:
     locale: US
     ignore-words: []
@@ -112,6 +110,9 @@ linters-settings:
     allow-separated-leading-comment: false
   gofumpt:
     extra-rules: false
+  cyclop:
+      # the maximal code complexity to report
+      max-complexity: 20
 
 linters:
   enable-all: true
@@ -125,6 +126,10 @@ linters:
     - gomnd
     - goerr113
     - nestif
+    - wrapcheck
+    - paralleltest
+    - exhaustivestruct
+    - forbidigo
   disable-all: false
   fast: false
 

Dockerfile

@@ -1,11 +1,14 @@
-# syntax = docker/dockerfile-upstream:1.1.7-experimental
+# syntax = docker/dockerfile-upstream:1.2.0-labs
 
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-11-11T19:39:46Z by kres latest.
+# Generated on 2021-05-20T11:41:34Z by kres latest.
 
 ARG TOOLCHAIN
 
+# cleaned up specs and compiled versions
+FROM scratch AS generate
+
 # runs markdownlint
 FROM node:14.8.0-alpine AS lint-markdown
 RUN npm i -g markdownlint-cli@0.23.2
@@ -17,14 +20,14 @@ RUN markdownlint --ignore "**/node_modules/**" --ignore '**/hack/chglog/**' --ru
 
 # base toolchain image
 FROM ${TOOLCHAIN} AS toolchain
-RUN apk --update --no-cache add bash curl build-base
+RUN apk --update --no-cache add bash curl build-base protoc protobuf-dev
 
 # build tools
 FROM toolchain AS tools
 ENV GO111MODULE on
 ENV CGO_ENABLED 0
 ENV GOPATH /go
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b /bin v1.30.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b /bin v1.38.0
 ARG GOFUMPT_VERSION
 RUN cd $(mktemp -d) \
 	&& go mod init tmp \
@@ -45,6 +48,7 @@ RUN --mount=type=cache,target=/go/pkg go list -mod=readonly all >/dev/null
 # runs gofumpt
 FROM base AS lint-gofumpt
 RUN find . -name '*.pb.go' | xargs -r rm
+RUN find . -name '*.pb.gw.go' | xargs -r rm
 RUN FILES="$(gofumports -l -local github.com/talos-systems/crypto .)" && test -z "${FILES}" || (echo -e "Source code is not formatted with 'gofumports -w -local github.com/talos-systems/crypto .':\n${FILES}"; exit 1)
 
 # runs golangci-lint
@@ -61,7 +65,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g
 # runs unit-tests
 FROM base AS unit-tests-run
 ARG TESTPKGS
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -count 1 ${TESTPKGS}
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -coverpkg=${TESTPKGS} -count 1 ${TESTPKGS}
 
 FROM scratch AS unit-tests
 COPY --from=unit-tests-run /src/coverage.txt /coverage.txt

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-11-11T19:40:41Z by kres latest.
+# Generated on 2021-05-20T11:52:28Z by kres latest.
 
 # common variables
 
@@ -12,7 +12,10 @@ REGISTRY ?= ghcr.io
 USERNAME ?= talos-systems
 REGISTRY_AND_USERNAME ?= $(REGISTRY)/$(USERNAME)
 GOFUMPT_VERSION ?= abc0db2c416aca0f60ea33c23c76665f6e7ba0b6
-GO_VERSION ?= 1.14
+GO_VERSION ?= 1.16
+PROTOBUF_GO_VERSION ?= 1.25.0
+GRPC_GO_VERSION ?= 1.1.0
+GRPC_GATEWAY_VERSION ?= 2.4.0
 TESTPKGS ?= ./...
 KRES_IMAGE ?= ghcr.io/talos-systems/kres:latest
 
@@ -33,12 +36,15 @@ COMMON_ARGS += --build-arg=TAG=$(TAG)
 COMMON_ARGS += --build-arg=USERNAME=$(USERNAME)
 COMMON_ARGS += --build-arg=TOOLCHAIN=$(TOOLCHAIN)
 COMMON_ARGS += --build-arg=GOFUMPT_VERSION=$(GOFUMPT_VERSION)
+COMMON_ARGS += --build-arg=PROTOBUF_GO_VERSION=$(PROTOBUF_GO_VERSION)
+COMMON_ARGS += --build-arg=GRPC_GO_VERSION=$(GRPC_GO_VERSION)
+COMMON_ARGS += --build-arg=GRPC_GATEWAY_VERSION=$(GRPC_GATEWAY_VERSION)
 COMMON_ARGS += --build-arg=TESTPKGS=$(TESTPKGS)
-TOOLCHAIN ?= docker.io/golang:1.15-alpine
+TOOLCHAIN ?= docker.io/golang:1.16-alpine
 
 # help menu
 
-export define HELP_MENU_HEADER
+define HELP_MENU_HEADER
 # Getting Started
 
 To build this project, you must have the following installed:
@@ -126,4 +132,3 @@ rekres:
 help:  ## This help menu.
 	@echo "$$HELP_MENU_HEADER"
 	@grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
-

go.mod

@@ -1,6 +1,6 @@
 module github.com/talos-systems/crypto
 
-go 1.14
+go 1.16
 
 require (
 	github.com/stretchr/testify v1.7.0

tls/provider.go

@@ -35,8 +35,9 @@ type Generator interface {
 	Identity(csr *talosx509.CertificateSigningRequest) (ca, crt []byte, err error)
 }
 
+//nolint:govet
 type certificateProvider struct {
-	sync.RWMutex
+	rw sync.RWMutex
 
 	generator Generator
 
@@ -68,8 +69,7 @@ func NewRenewingCertificateProvider(generator Generator, dnsNames []string, ips
 
 	provider.updateCertificates(ca, &cert)
 
-	//nolint: errcheck
-	go provider.manageUpdates(context.TODO())
+	go provider.manageUpdates(context.TODO()) //nolint:errcheck
 
 	return provider, nil
 }
@@ -105,8 +105,8 @@ func (p *certificateProvider) GetCA() ([]byte, error) {
 		return nil, errors.New("no provider")
 	}
 
-	p.RLock()
-	defer p.RUnlock()
+	p.rw.RLock()
+	defer p.rw.RUnlock()
 
 	return p.ca, nil
 }
@@ -116,8 +116,8 @@ func (p *certificateProvider) GetCertificate(h *tls.ClientHelloInfo) (*tls.Certi
 		return nil, errors.New("no provider")
 	}
 
-	p.RLock()
-	defer p.RUnlock()
+	p.rw.RLock()
+	defer p.rw.RUnlock()
 
 	return p.crt, nil
 }
@@ -127,8 +127,8 @@ func (p *certificateProvider) GetClientCertificate(*tls.CertificateRequestInfo)
 }
 
 func (p *certificateProvider) updateCertificates(ca []byte, cert *tls.Certificate) {
-	p.Lock()
-	defer p.Unlock()
+	p.rw.Lock()
+	defer p.rw.Unlock()
 
 	p.ca = ca
 	p.crt = cert
@@ -138,8 +138,7 @@ func (p *certificateProvider) manageUpdates(ctx context.Context) (err error) {
 	nextRenewal := talosx509.DefaultCertificateValidityDuration
 
 	for ctx.Err() == nil {
-		//nolint: errcheck
-		if c, _ := p.GetCertificate(nil); c != nil {
+		if c, _ := p.GetCertificate(nil); c != nil { //nolint:errcheck
 			if len(c.Certificate) > 0 {
 				var crt *x509.Certificate
 				crt, err = x509.ParseCertificate(c.Certificate[0])

x509/fingerprint.go

@@ -55,7 +55,7 @@ func SPKIFingerprintFromDER(certDER []byte) (Fingerprint, error) {
 // SPKIFingerprint computes SPKI certificate fingerprint.
 func SPKIFingerprint(cert *x509.Certificate) Fingerprint {
 	hash := sha256.New()
-	hash.Write(cert.RawSubjectPublicKeyInfo) //nolint: errcheck
+	hash.Write(cert.RawSubjectPublicKeyInfo)
 
 	return Fingerprint(hash.Sum(nil))
 }

x509/fingerprint_test.go

@@ -64,6 +64,8 @@ yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
 -----END CERTIFICATE-----`
 
 func TestSPKIFingerprints(t *testing.T) {
+	t.Parallel()
+
 	fingerprint1, err := x509.SPKIFingerprintFromPEM([]byte(certPEM1))
 	if err != nil {
 		t.Fatal(err)

x509/x509.go

@@ -96,6 +96,8 @@ type PEMEncodedKey struct {
 }
 
 // Options is the functional options struct.
+//
+//nolint:govet
 type Options struct {
 	CommonName         string
 	Organization       string
@@ -247,7 +249,7 @@ func NewSelfSignedCertificateAuthority(setters ...Option) (ca *CertificateAuthor
 		DNSNames:    opts.DNSNames,
 	}
 
-	switch opts.SignatureAlgorithm { //nolint: exhaustive
+	switch opts.SignatureAlgorithm { //nolint:exhaustive
 	case x509.SHA512WithRSA:
 		return RSACertificateAuthority(crt, opts)
 	case x509.PureEd25519:
@@ -576,7 +578,7 @@ func NewKeyPair(ca *CertificateAuthority, setters ...Option) (keypair *KeyPair,
 		identity *PEMEncodedCertificateAndKey
 	)
 
-	switch ca.Crt.SignatureAlgorithm { //nolint: exhaustive
+	switch ca.Crt.SignatureAlgorithm { //nolint:exhaustive
 	case x509.SHA512WithRSA:
 		csr, identity, err = NewRSACSRAndIdentity(setters...)
 		if err != nil {
@@ -1005,8 +1007,6 @@ func (p *PEMEncodedKey) GetECDSAKey() (*ECDSAKey, error) {
 }
 
 // NewCertficateAndKey generates a new key and certificate signed by a CA.
-//
-//nolint: gocyclo
 func NewCertficateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (p *PEMEncodedCertificateAndKey, err error) {
 	var (
 		c        *Certificate
@@ -1081,8 +1081,8 @@ func Hash(crt *x509.Certificate) string {
 
 // RSACertificateAuthority creates an RSA CA.
 func RSACertificateAuthority(template *x509.Certificate, opts *Options) (ca *CertificateAuthority, err error) {
-	key, e := rsa.GenerateKey(rand.Reader, opts.Bits)
-	if e != nil {
+	key, err := rsa.GenerateKey(rand.Reader, opts.Bits)
+	if err != nil {
 		return
 	}
 
@@ -1092,8 +1092,8 @@ func RSACertificateAuthority(template *x509.Certificate, opts *Options) (ca *Cer
 		Bytes: keyBytes,
 	})
 
-	crtDER, e := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
-	if e != nil {
+	crtDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
 		return
 	}
 
@@ -1119,13 +1119,13 @@ func RSACertificateAuthority(template *x509.Certificate, opts *Options) (ca *Cer
 
 // ECDSACertificateAuthority creates an ECDSA CA.
 func ECDSACertificateAuthority(template *x509.Certificate) (ca *CertificateAuthority, err error) {
-	key, e := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if e != nil {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
 		return
 	}
 
-	keyBytes, e := x509.MarshalECPrivateKey(key)
-	if e != nil {
+	keyBytes, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
 		return
 	}