From 20e667dc9c7fb63194ddbf6cadcb0b13df104ef1 Mon Sep 17 00:00:00 2001
From: Nathanael Liechti <nathanael.liechti@post.ch>
Date: Wed, 13 Mar 2024 19:06:16 +0100
Subject: [PATCH 1/3] fix: ca-filter causing expontentially more api-calls
 (#3608)

due to missing cache
---
 pkg/ingress/cert_discovery.go | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/pkg/ingress/cert_discovery.go b/pkg/ingress/cert_discovery.go
index 80fb9c743..acca5f661 100644
--- a/pkg/ingress/cert_discovery.go
+++ b/pkg/ingress/cert_discovery.go
@@ -2,7 +2,6 @@ package ingress
 
 import (
 	"context"
-	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -16,6 +15,7 @@ import (
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/cache"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/utils/strings/slices"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
 )
 
@@ -153,18 +153,18 @@ func (d *acmCertDiscovery) loadDomainsForCertificate(ctx context.Context, certAR
 	certDetail := resp.Certificate
 
 	// check if cert is issued from an allowed CA
+	// otherwise empty-out the list of domains
+	domains := sets.String{}
 	if len(d.allowedCAARNs) == 0 || slices.Contains(d.allowedCAARNs, awssdk.StringValue(certDetail.CertificateAuthorityArn)) {
-		domains := sets.NewString(aws.StringValueSlice(certDetail.SubjectAlternativeNames)...)
-		switch aws.StringValue(certDetail.Type) {
-		case acm.CertificateTypeImported:
-			d.certDomainsCache.Set(certARN, domains, d.importedCertDomainsCacheTTL)
-		case acm.CertificateTypeAmazonIssued, acm.CertificateTypePrivate:
-			d.certDomainsCache.Set(certARN, domains, d.privateCertDomainsCacheTTL)
-		}
-		return domains, nil
+		domains = sets.NewString(aws.StringValueSlice(certDetail.SubjectAlternativeNames)...)
 	}
-	return sets.String{}, nil
-
+	switch aws.StringValue(certDetail.Type) {
+	case acm.CertificateTypeImported:
+		d.certDomainsCache.Set(certARN, domains, d.importedCertDomainsCacheTTL)
+	case acm.CertificateTypeAmazonIssued, acm.CertificateTypePrivate:
+		d.certDomainsCache.Set(certARN, domains, d.privateCertDomainsCacheTTL)
+	}
+	return domains, nil
 }
 
 func (d *acmCertDiscovery) domainMatchesHost(domainName string, tlsHost string) bool {

From 631aaf0ebba1d1481463394d612e33c7d17f5eb5 Mon Sep 17 00:00:00 2001
From: Jason Du <jasonxdu@amazon.com>
Date: Thu, 14 Mar 2024 09:36:33 -0700
Subject: [PATCH 2/3] Repo controlled build go version (#3598)

---
 .github/workflows/deps.yml  |  4 +++-
 .github/workflows/test.yaml | 10 ++++++----
 .go-version                 |  1 +
 Makefile                    |  6 +++++-
 4 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 .go-version

diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml
index 36d5ae076..bc4a2c343 100644
--- a/.github/workflows/deps.yml
+++ b/.github/workflows/deps.yml
@@ -39,8 +39,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           show-progress: false
+      - name: Setup Go Version
+        run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
-          go-version-input: 1.21.5
+          go-version-input: ${{ env.GO_VERSION }}
           go-version-file: go.mod
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 7708a7220..1303a908d 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -7,11 +7,13 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
+    - name: Setup Go Version
+      run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
     - name: Set up Go 1.x
       uses: actions/setup-go@v2
       with:
-        go-version: ^1.21
- 
+        go-version: ${{ env.GO_VERSION }}
+
     - name: Check out code into the Go module directory
       uses: actions/checkout@v2
 
@@ -19,7 +21,7 @@ jobs:
       run: |
         sudo snap install yq
         make test
-        
+
     - name: Codecov
       uses: codecov/codecov-action@v1
       with:
@@ -32,4 +34,4 @@ jobs:
 
       - name: make quick-ci
         run: |
-          make quick-ci
\ No newline at end of file
+          make quick-ci
diff --git a/.go-version b/.go-version
new file mode 100644
index 000000000..ce2dd5357
--- /dev/null
+++ b/.go-version
@@ -0,0 +1 @@
+1.21.5
diff --git a/Makefile b/Makefile
index 6587c96ce..9d158f0f1 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,8 @@ MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 # Image URL to use all building/pushing image targets
 IMG ?= public.ecr.aws/eks/aws-load-balancer-controller:v2.7.0
 # Image URL to use for builder stage in Docker build
-BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:1.21.5
+GOLANG_VERSION ?= $(shell cat .go-version)
+BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:$(GOLANG_VERSION)
 # Image URL to use for base layer in Docker build
 BASE_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-09-06-1694026927.2
 IMG_PLATFORM ?= linux/amd64,linux/arm64
@@ -24,6 +25,9 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+export GOSUMDB = sum.golang.org
+export GOTOOLCHAIN = go$(GOLANG_VERSION)
+
 all: controller
 
 # Run tests

From a513f0c0ca6ae8fe7173356612ec748e970c2ea1 Mon Sep 17 00:00:00 2001
From: Hao Zhou <haouc@users.noreply.github.com>
Date: Thu, 14 Mar 2024 22:12:10 -0700
Subject: [PATCH 3/3] update go version to mitigate CVE (#3615)

---
 .go-version | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.go-version b/.go-version
index ce2dd5357..428abfd24 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.21.5
+1.21.8