chore: update go version and packages

.github/workflows/ci.yaml

@@ -49,18 +49,6 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]
-
-    services:
-      vault:
-        image: hashicorp/vault:${{ matrix.vault_version }}
-        env:
-          SKIP_SETCAP: true
-          VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
-        ports:
-          - 8200:8200
 
     steps:
       - name: Checkout repository
@@ -226,7 +214,7 @@ jobs:
     needs: [artifacts]
     strategy:
       matrix:
-        k8s_version: ["v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"]
+        k8s_version: ["v1.28.9", "v1.29.4", "v1.30.0"]
         # vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]
 
     steps:

.golangci.yaml

@@ -12,16 +12,25 @@ linters-settings:
   misspell:
     locale: US
   nolintlint:
-    allow-leading-space: false # require machine-readable nolint directives (with no leading space)
     allow-unused: false # report any unused nolint directives
     require-specific: false # don't require nolint directives to be specific about which linter is being skipped
   revive:
     confidence: 0
 
 linters:
   enable:
+    - bodyclose
+    - errcheck
     - gci
+    - gofmt
+    - gofumpt
     - goimports
+    - gosimple
+    - ineffassign
     - misspell
     - nolintlint
     - revive
+    - unconvert
+    - unparam
+    - unused
+    - whitespace

Makefile

@@ -44,6 +44,10 @@ build: ## Build binary
 	@mkdir -p build
 	go build -race -o build/webhook .
 
+.PHONY: artifacts
+artifacts: container-image helm-chart
+artifacts: ## Build docker image and helm chart
+
 .PHONY: container-image
 container-image: ## Build container image
 	docker build -t ${CONTAINER_IMAGE_REF} .
@@ -53,10 +57,6 @@ helm-chart: ## Build Helm chart
 	@mkdir -p build
 	$(HELM_BIN) package -d build/ deploy/charts/vault-secrets-webhook
 
-.PHONY: artifacts
-artifacts: container-image helm-chart
-artifacts: ## Build docker image and helm chart
-
 ##@ Checks
 
 .PHONY: check
@@ -80,7 +80,7 @@ lint: ## Run linters
 
 .PHONY: lint-go
 lint-go:
-	$(GOLANGCI_LINT_BIN) run $(if ${CI},--out-format github-actions,)
+	$(GOLANGCI_LINT_BIN) run $(if ${CI},--out-format colored-line-number,)
 
 .PHONY: lint-helm
 lint-helm:
@@ -94,15 +94,15 @@ lint-docker:
 lint-yaml:
 	$(YAMLLINT_BIN) $(if ${CI},-f github,) --no-warnings .
 
+.PHONY: fmt
+fmt: ## Format code
+	$(GOLANGCI_LINT_BIN) run --fix
+
 .PHONY: license-check
 license-check: ## Run license check
 	$(LICENSEI_BIN) check
 	$(LICENSEI_BIN) header
 
-.PHONY: fmt
-fmt: ## Format code
-	$(GOLANGCI_LINT_BIN) run --fix
-
 ##@ Autogeneration
 
 .PHONY: generate
@@ -119,11 +119,12 @@ deps: bin/golangci-lint bin/licensei bin/kind bin/kurun bin/helm bin/helm-docs
 deps: ## Install dependencies
 
 # Dependency versions
-GOLANGCI_VERSION = 1.53.3
-LICENSEI_VERSION = 0.8.0
-KIND_VERSION = 0.20.0
+GOLANGCI_LINT_VERSION = 1.61.0
+LICENSEI_VERSION = 0.9.0
+KIND_VERSION = 0.24.0
 KURUN_VERSION = 0.7.0
-HELM_DOCS_VERSION = 1.11.0
+HELM_VERSION = 3.16.1
+HELM_DOCS_VERSION = 1.14.2
 
 # Dependency binaries
 GOLANGCI_LINT_BIN := golangci-lint
@@ -149,7 +150,7 @@ endif
 
 bin/golangci-lint:
 	@mkdir -p bin
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- v${GOLANGCI_VERSION}
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- v${GOLANGCI_LINT_VERSION}
 
 bin/licensei:
 	@mkdir -p bin
@@ -167,7 +168,7 @@ bin/kurun:
 
 bin/helm:
 	@mkdir -p bin
-	curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | USE_SUDO=false HELM_INSTALL_DIR=bin bash
+	curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | USE_SUDO=false HELM_INSTALL_DIR=bin DESIRED_VERSION=v$(HELM_VERSION) bash
 	@chmod +x bin/helm
 
 bin/helm-docs:

deploy/charts/vault-secrets-webhook/README.md

@@ -20,7 +20,7 @@ vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing T
 
 Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the `/data/` to the path of the secret.
 
-```
+```bash
 $ vault kv get kv/rax/test
 ====== Metadata ======
 Key              Value
@@ -39,7 +39,7 @@ MYSQL_ROOT_PASSWORD    s3cr3t
 
 The secret shown above is referenced like this:
 
-```
+```bash
 vault:[ENGINE]/data/[SECRET_NAME]#[KEY]
 vault:kv/rax/data/test#MYSQL_PASSWORD
 ```
@@ -71,15 +71,15 @@ kubectl label namespace "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
 ### Install the chart
 
 ```bash
-$ helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
+helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
 ```
 
 ### Openshift 4.3
 
 For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to `""`, OpenShift chooses a valid User.
 
 ```bash
-$ helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
+helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
 ```
 
 ### About GKE Private Clusters
@@ -138,11 +138,11 @@ The following table lists the configurable parameters of the Helm chart.
 | `podAnnotations` | object | `{}` | Extra annotations to add to pod metadata |
 | `labels` | object | `{}` | Extra labels to add to the deployment and pods |
 | `resources` | object | `{}` | Resources to request for the deployment and pods |
-| `nodeSelector` | object | `{}` | Node labels for pod assignment. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
-| `tolerations` | list | `[]` | List of node tolerations for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
-| `affinity` | object | `{}` | Node affinity settings for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
-| `topologySpreadConstraints` | object | `{}` | TopologySpreadConstraints to add for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ |
-| `priorityClassName` | string | `""` | Assign a PriorityClassName to pods if set. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ |
+| `nodeSelector` | object | `{}` | Node labels for pod assignment. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector> |
+| `tolerations` | list | `[]` | List of node tolerations for the pods. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/> |
+| `affinity` | object | `{}` | Node affinity settings for the pods. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/> |
+| `topologySpreadConstraints` | object | `{}` | TopologySpreadConstraints to add for the pods. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/> |
+| `priorityClassName` | string | `""` | Assign a PriorityClassName to pods if set. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/> |
 | `livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness and readiness probes for the webhook container |
 | `readinessProbe.failureThreshold` | int | `3` |  |
 | `readinessProbe.periodSeconds` | int | `10` |  |
@@ -162,7 +162,7 @@ The following table lists the configurable parameters of the Helm chart.
 | `configMapFailurePolicy` | string | `"Ignore"` |  |
 | `podsFailurePolicy` | string | `"Ignore"` |  |
 | `secretsFailurePolicy` | string | `"Ignore"` |  |
-| `apiSideEffectValue` | string | `"NoneOnDryRun"` | Webhook sideEffect value Check: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects |
+| `apiSideEffectValue` | string | `"NoneOnDryRun"` | Webhook sideEffect value Check: <https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects> |
 | `namespaceSelector` | object | `{}` | Namespace selector to use, will limit webhook scope (K8s version 1.15+) |
 | `objectSelector` | object | `{}` | Object selector to use, will limit webhook scope (K8s version 1.15+) |
 | `secrets.objectSelector` | object | `{}` | Object selector for secrets (overrides `objectSelector`); Requires K8s 1.15+ |
@@ -192,7 +192,7 @@ The default option is to let helm generate the CA and TLS certificates on deploy
 
 This will renew the certificates on each deployment.
 
-```
+```yaml
 certificate:
     generate: true
 ```

deploy/charts/vault-secrets-webhook/README.md.gotmpl

@@ -20,7 +20,7 @@ vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing T
 
 Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the `/data/` to the path of the secret.
 
-```
+```bash
 $ vault kv get kv/rax/test
 ====== Metadata ======
 Key              Value
@@ -39,7 +39,7 @@ MYSQL_ROOT_PASSWORD    s3cr3t
 
 The secret shown above is referenced like this:
 
-```
+```bash
 vault:[ENGINE]/data/[SECRET_NAME]#[KEY]
 vault:kv/rax/data/test#MYSQL_PASSWORD
 ```
@@ -71,15 +71,15 @@ kubectl label namespace "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
 ### Install the chart
 
 ```bash
-$ helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
+helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
 ```
 
 ### Openshift 4.3
 
 For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to `""`, OpenShift chooses a valid User.
 
 ```bash
-$ helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
+helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
 ```
 
 ### About GKE Private Clusters
@@ -116,7 +116,7 @@ The default option is to let helm generate the CA and TLS certificates on deploy
 
 This will renew the certificates on each deployment.
 
-```
+```yaml
 certificate:
     generate: true
 ```

deploy/charts/vault-secrets-webhook/values.yaml

@@ -154,23 +154,23 @@ labels: {}
 resources: {}
 
 # -- Node labels for pod assignment.
-# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector>
 nodeSelector: {}
 
 # -- List of node tolerations for the pods.
-# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>
 tolerations: []
 
 # -- Node affinity settings for the pods.
-# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>
 affinity: {}
 
 # -- TopologySpreadConstraints to add for the pods.
-# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
+# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>
 topologySpreadConstraints: {}
 
 # -- Assign a PriorityClassName to pods if set.
-# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/>
 priorityClassName: ""
 
 # -- Liveness and readiness probes for the webhook container
@@ -230,7 +230,7 @@ podsFailurePolicy: Ignore
 secretsFailurePolicy: Ignore
 
 # -- Webhook sideEffect value
-# Check: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects
+# Check: <https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects>
 apiSideEffectValue: NoneOnDryRun
 
 # -- Namespace selector to use, will limit webhook scope (K8s version 1.15+)