Add runtime checking of golang version

Forces other groups packaging k3s to intentionally choose to build k3s with an unvalidated golang version

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Dockerfile.test

@@ -14,7 +14,7 @@ ENTRYPOINT ["/bin/test-mods"]
 
 FROM test-base as test-k3s
 
-RUN apk -U --no-cache add git gcc musl-dev docker curl coreutils python3 openssl py3-pip procps findutils
+RUN apk -U --no-cache add git gcc musl-dev docker curl coreutils python3 openssl py3-pip procps findutils yq
 
 RUN python3 -m pip install awscli
 

pkg/cli/agent/agent.go

@@ -20,6 +20,9 @@ import (
 )
 
 func Run(ctx *cli.Context) error {
+	// Validate build env
+	cmds.MustValidateGolang()
+
 	// hide process arguments from ps output, since they may contain
 	// database credentials or other secrets.
 	gspt.SetProcTitle(os.Args[0] + " agent")

pkg/cli/cmds/golang.go

@@ -0,0 +1,27 @@
+package cmds
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+
+	"github.com/k3s-io/k3s/pkg/version"
+	"github.com/sirupsen/logrus"
+)
+
+func ValidateGolang() error {
+	k8sVersion, _, _ := strings.Cut(version.Version, "+")
+	if version.UpstreamGolang == "" {
+		return fmt.Errorf("kubernetes golang build version not set - see 'golang: upstream version' in https://github.com/kubernetes/kubernetes/blob/%s/build/dependencies.yaml", k8sVersion)
+	}
+	if v, _, _ := strings.Cut(runtime.Version(), " "); version.UpstreamGolang != v {
+		return fmt.Errorf("incorrect golang build version - kubernetes %s should be built with %s, runtime version is %s", k8sVersion, version.UpstreamGolang, v)
+	}
+	return nil
+}
+
+func MustValidateGolang() {
+	if err := ValidateGolang(); err != nil {
+		logrus.Fatalf("Failed to validate golang version: %v", err)
+	}
+}

pkg/cli/server/server.go

@@ -49,6 +49,8 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	var (
 		err error
 	)
+	// Validate build env
+	cmds.MustValidateGolang()
 
 	// hide process arguments from ps output, since they may contain
 	// database credentials or other secrets.

pkg/version/version.go

@@ -7,4 +7,6 @@ var (
 	ProgramUpper = strings.ToUpper(Program)
 	Version      = "dev"
 	GitCommit    = "HEAD"
+
+	UpstreamGolang = ""
 )

scripts/build

@@ -22,6 +22,7 @@ buildDate=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
 VERSIONFLAGS="
     -X ${PKG}/pkg/version.Version=${VERSION}
     -X ${PKG}/pkg/version.GitCommit=${COMMIT:0:8}
+    -X ${PKG}/pkg/version.UpstreamGolang=${VERSION_GOLANG}
 
     -X ${PKG_K8S_CLIENT}/version.gitVersion=${VERSION}
     -X ${PKG_K8S_CLIENT}/version.gitCommit=${COMMIT}

scripts/validate

@@ -29,10 +29,8 @@ if [ -n "$DIRTY" ]; then
 fi
 
 echo Running: go version
-DEPENDENCIES_URL="https://raw.githubusercontent.com/kubernetes/kubernetes/${VERSION_K8S}/build/dependencies.yaml"
-GOLANG_VERSION=$(curl -sL "${DEPENDENCIES_URL}" | yq e '.dependencies[] | select(.name == "golang: upstream version").version' -)
-if ! go version | grep -s "go version go${GOLANG_VERSION} "; then
-  echo "Unexpected $(go version) - Kubernetes ${VERSION_K8S} should be built with go version go${GOLANG_VERSION}"
+if ! go version | grep -s "go version ${VERSION_GOLANG} "; then
+  echo "Unexpected $(go version) - Kubernetes ${VERSION_K8S} should be built with go version ${VERSION_GOLANG}"
   exit 1
 fi
 

scripts/version.sh

@@ -77,6 +77,9 @@ fi
 
 VERSION_ROOT="v0.12.2"
 
+DEPENDENCIES_URL="https://raw.githubusercontent.com/kubernetes/kubernetes/${VERSION_K8S}/build/dependencies.yaml"
+VERSION_GOLANG="go"$(curl -sL "${DEPENDENCIES_URL}" | yq e '.dependencies[] | select(.name == "golang: upstream version").version' -)
+
 if [[ -n "$GIT_TAG" ]]; then
     if [[ ! "$GIT_TAG" =~ ^"$VERSION_K8S"[+-] ]]; then
         echo "Tagged version '$GIT_TAG' does not match expected version '$VERSION_K8S[+-]*'" >&2
@@ -91,4 +94,4 @@ VERSION_TAG="$(sed -e 's/+/-/g' <<< "$VERSION")"
 BINARY_POSTFIX=
 if [ ${OS} = windows ]; then
     BINARY_POSTFIX=.exe
-fi
+fi