chore: upgrade Go from 1.23.4 to 1.24.4 (release-2.14) (#23294)

Signed-off-by: Ville Vesilehto <[email protected]>
Co-authored-by: Michael Crenshaw <[email protected]>

Author: thevilledev

.github/workflows/ci-build.yaml

@@ -14,7 +14,7 @@ on:
 env:
   # Golang version to use across CI steps
   # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.23.3'
+  GOLANG_VERSION: '1.24.4'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/image.yaml

@@ -53,7 +53,7 @@ jobs:
     with:
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       # renovate: datasource=golang-version packageName=golang
-      go-version: 1.23.3
+      go-version: 1.24.4
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: false
 
@@ -70,7 +70,7 @@ jobs:
       ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       # renovate: datasource=golang-version packageName=golang
-      go-version: 1.23.3
+      go-version: 1.24.4
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: true
     secrets:

.github/workflows/release.yaml

@@ -11,7 +11,7 @@ permissions: {}
 
 env:
   # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.23.3' # Note: go-version must also be set in job argocd-image.with.go-version
+  GOLANG_VERSION: '1.24.4' # Note: go-version must also be set in job argocd-image.with.go-version
 
 jobs:
   argocd-image:
@@ -25,7 +25,7 @@ jobs:
       quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       # renovate: datasource=golang-version packageName=golang
-      go-version: 1.23.3
+      go-version: 1.24.4
       platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
       push: true
     secrets:

Dockerfile

@@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174 AS builder
+FROM docker.io/library/golang:1.24.4@sha256:db5d0afbfb4ab648af2393b92e87eaae9ad5e01132803d80caef91b5752d289c AS builder
 
 RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
@@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.24.4@sha256:db5d0afbfb4ab648af2393b92e87eaae9ad5e01132803d80caef91b5752d289c AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/argoproj/argo-cd/v2
 
-go 1.23.0
+go 1.24.4
 
 require (
 	code.gitea.io/sdk/gitea v0.19.0

test/container/Dockerfile

@@ -8,7 +8,7 @@ RUN ln -s /usr/lib/$(uname -m)-linux-gnu /usr/lib/linux-gnu
 # Please make sure to also check the contained yarn version and update the references below when upgrading this image's version
 FROM docker.io/library/node:22.9.0@sha256:69e667a79aa41ec0db50bc452a60e705ca16f35285eaf037ebe627a65a5cdf52 as node
 
-FROM docker.io/library/golang:1.23.4@sha256:70031844b8c225351d0bb63e2c383f80db85d92ba894e3da7e13bcf80efa9a37 as golang
+FROM docker.io/library/golang:1.24.4@sha256:db5d0afbfb4ab648af2393b92e87eaae9ad5e01132803d80caef91b5752d289c as golang
 
 FROM docker.io/library/registry:2.8@sha256:ac0192b549007e22998eb74e8d8488dcfe70f1489520c3b144a6047ac5efbe90 as registry
 

test/remote/Dockerfile

@@ -1,6 +1,6 @@
 ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15
 
-FROM docker.io/library/golang:1.23.4@sha256:81e1da9b9604cdee2bc226e90e15f9d51ae6a8cd2271dc341c42ca0926c3b83f AS go
+FROM docker.io/library/golang:1.24.4@sha256:db5d0afbfb4ab648af2393b92e87eaae9ad5e01132803d80caef91b5752d289c AS go
 
 RUN go install github.com/mattn/goreman@latest && \
     go install github.com/kisielk/godepgraph@latest

util/tls/tls.go

@@ -193,6 +193,11 @@ func publicKey(priv interface{}) interface{} {
 func pemBlockForKey(priv interface{}) *pem.Block {
 	switch k := priv.(type) {
 	case *rsa.PrivateKey:
+		// In Go 1.24+, MarshalPKCS1PrivateKey calls Precompute() which can panic
+		// if the key is invalid. Validate the key first.
+		if k == nil || k.Validate() != nil {
+			return nil
+		}
 		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
 	case *ecdsa.PrivateKey:
 		b, err := x509.MarshalECPrivateKey(k)
@@ -298,7 +303,11 @@ func generatePEM(opts CertOptions) ([]byte, []byte, error) {
 		return nil, nil, err
 	}
 	certpem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
-	keypem := pem.EncodeToMemory(pemBlockForKey(privateKey))
+	keyBlock := pemBlockForKey(privateKey)
+	if keyBlock == nil {
+		return nil, nil, errors.New("failed to encode private key")
+	}
+	keypem := pem.EncodeToMemory(keyBlock)
 	return certpem, keypem, nil
 }
 
@@ -321,7 +330,11 @@ func EncodeX509KeyPair(cert tls.Certificate) ([]byte, []byte) {
 	for _, certtmp := range cert.Certificate {
 		certpem = append(certpem, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certtmp})...)
 	}
-	keypem := pem.EncodeToMemory(pemBlockForKey(cert.PrivateKey))
+	keyBlock := pemBlockForKey(cert.PrivateKey)
+	if keyBlock == nil {
+		return certpem, []byte{}
+	}
+	keypem := pem.EncodeToMemory(keyBlock)
 	return certpem, keypem
 }
 

util/tls/tls_test.go

@@ -1,11 +1,13 @@
 package tls
 
 import (
+	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/big"
 	"os"
 	"strings"
 	"testing"
@@ -452,3 +454,74 @@ func TestLoadX509CertPool(t *testing.T) {
 		require.Nil(t, p)
 	})
 }
+
+func TestEncodeX509KeyPair_InvalidRSAKey(t *testing.T) {
+	t.Run("Nil RSA private key", func(t *testing.T) {
+		cert := tls.Certificate{
+			Certificate: [][]byte{{0x30, 0x82}}, // minimal DER certificate bytes
+			PrivateKey:  (*rsa.PrivateKey)(nil),
+		}
+		certPEM, keyPEM := EncodeX509KeyPair(cert)
+		assert.NotEmpty(t, certPEM)
+		assert.Empty(t, keyPEM)
+	})
+
+	t.Run("RSA private key that fails validation", func(t *testing.T) {
+		// Create an RSA key with invalid parameters that will fail Validate()
+		invalidKey := &rsa.PrivateKey{
+			PublicKey: rsa.PublicKey{
+				N: big.NewInt(1), // Too small modulus, will fail validation
+				E: 65537,
+			},
+			D: big.NewInt(1), // Invalid private exponent
+		}
+		cert := tls.Certificate{
+			Certificate: [][]byte{{0x30, 0x82}}, // minimal DER certificate bytes
+			PrivateKey:  invalidKey,
+		}
+		certPEM, keyPEM := EncodeX509KeyPair(cert)
+		assert.NotEmpty(t, certPEM)
+		assert.Empty(t, keyPEM)
+	})
+
+	t.Run("RSA private key with inconsistent parameters", func(t *testing.T) {
+		invalidKey := &rsa.PrivateKey{
+			PublicKey: rsa.PublicKey{
+				N: big.NewInt(35),
+				E: 65537,
+			},
+			D: big.NewInt(99999),
+		}
+		cert := tls.Certificate{
+			Certificate: [][]byte{{0x30, 0x82}}, // minimal DER certificate bytes
+			PrivateKey:  invalidKey,
+		}
+		certPEM, keyPEM := EncodeX509KeyPair(cert)
+		assert.NotEmpty(t, certPEM)
+		assert.Empty(t, keyPEM)
+	})
+
+	t.Run("Unsupported private key type", func(t *testing.T) {
+		// Use a type that's not *rsa.PrivateKey or *ecdsa.PrivateKey
+		cert := tls.Certificate{
+			Certificate: [][]byte{{0x30, 0x82}}, // minimal DER certificate bytes
+			PrivateKey:  "not a private key",    // Unsupported type
+		}
+		certPEM, keyPEM := EncodeX509KeyPair(cert)
+		assert.NotEmpty(t, certPEM)
+		assert.Empty(t, keyPEM)
+	})
+
+	t.Run("Valid RSA private key should work", func(t *testing.T) {
+		// Generate a valid RSA key for testing
+		opts := CertOptions{Hosts: []string{"localhost"}, Organization: "Test"}
+		validCert, err := GenerateX509KeyPair(opts)
+		require.NoError(t, err)
+
+		certPEM, keyPEM := EncodeX509KeyPair(*validCert)
+		assert.NotEmpty(t, certPEM)
+		assert.NotEmpty(t, keyPEM)
+		assert.Contains(t, string(keyPEM), "-----BEGIN RSA PRIVATE KEY-----")
+		assert.Contains(t, string(keyPEM), "-----END RSA PRIVATE KEY-----")
+	})
+}