Update to go1.22

Co-authored-by: Julien Salleyron <[email protected]>

.github/workflows/build.yaml

@@ -6,7 +6,7 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.21'
+  GO_VERSION: '1.22'
   CGO_ENABLED: 0
 
 jobs:

.github/workflows/experimental.yaml

@@ -7,7 +7,7 @@ on:
       - v*
 
 env:
-  GO_VERSION: '1.21'
+  GO_VERSION: '1.22'
   CGO_ENABLED: 0
 
 jobs:

.github/workflows/test-integration.yaml

@@ -9,7 +9,7 @@ on:
       - 'gh-actions'
 
 env:
-  GO_VERSION: '1.21'
+  GO_VERSION: '1.22'
   CGO_ENABLED: 0
 
 jobs:

.github/workflows/test-unit.yaml

@@ -6,7 +6,7 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.21'
+  GO_VERSION: '1.22'
 
 jobs:
 

.github/workflows/validate.yaml

@@ -6,8 +6,8 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.21'
-  GOLANGCI_LINT_VERSION: v1.55.2
+  GO_VERSION: '1.22'
+  GOLANGCI_LINT_VERSION: v1.56.0
   MISSSPELL_VERSION: v0.4.1
 
 jobs:

.golangci.yml

@@ -152,17 +152,10 @@ linters-settings:
       - github.com/jaguilar/vt100
       - github.com/cucumber/godog
   testifylint:
-    enable:
-      - bool-compare
-      - compares
-      - empty
-      - error-is-as
-      - error-nil
-      - expected-actual
-      - float-compare
-      - len
-      - suite-extra-assert-call
-      - suite-thelper
+    disable:
+      - suite-dont-use-pkg
+      - require-error
+      - go-require
 
 linters:
   enable-all: true
@@ -218,7 +211,7 @@ linters:
 
 issues:
   exclude-use-default: false
-  max-per-linter: 0
+  max-issues-per-linter: 0
   max-same-issues: 0
   exclude:
     - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
@@ -232,6 +225,7 @@ issues:
     - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
     - 'SA1019: c.Providers.Consul.Namespace is deprecated'
     - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
+    - 'fmt.Sprintf can be replaced with string addition'
   exclude-rules:
     - path: '(.+)_test.go'
       linters:

.semaphore/semaphore.yml

@@ -19,13 +19,13 @@ global_job_config:
   prologue:
     commands:
       - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.21
+      - sudo semgo go1.22
       - export "GOPATH=$(go env GOPATH)"
       - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
       - export "PATH=${GOPATH}/bin:${PATH}"
       - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
       - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.55.2
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.56.0
       - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
       - checkout
       - cache restore traefik-$(checksum go.sum)

docs/content/migration/v2.md

@@ -533,3 +533,30 @@ In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowL
 ### IPWhiteList (TCP)
 
 In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/tcp/ipallowlist.md) middleware instead.
+
+### TLS CipherSuites
+
+> By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes.
+> This change can be reverted with the `tlsrsakex=1 GODEBUG` setting.
+> (https://go.dev/doc/go1.22#crypto/tls)
+
+The _RSA key exchange_ cipher suites are way less secure than the modern ECDHE cipher suites and exposes to potential vulnerabilities like [the Marvin Attack](https://people.redhat.com/~hkario/marvin).
+Decision has been made to support ECDHE cipher suites only by default.
+
+The following ciphers have been removed from the default list:
+
+- `TLS_RSA_WITH_AES_128_CBC_SHA`
+- `TLS_RSA_WITH_AES_256_CBC_SHA`
+- `TLS_RSA_WITH_AES_128_GCM_SHA256`
+- `TLS_RSA_WITH_AES_256_GCM_SHA384`
+
+To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
+
+### Minimum TLS Version
+
+> By default, the minimum version offered by `crypto/tls` servers is now TLS 1.2 if not specified with config.MinimumVersion,
+> matching the behavior of crypto/tls clients.
+> This change can be reverted with the `tls10server=1 GODEBUG` setting.
+> (https://go.dev/doc/go1.22#crypto/tls)
+
+To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.