fix: bump Go version to 1.26#4370
Open
behzad-mir wants to merge 5 commits into
Open
Conversation
behzad-mir
force-pushed
the
behzadm/go-1.26-bump
branch
from
2b164ef to
53ec62e
Compare
jpayne3506
requested changes
Apr 23, 2026
Contributor
jpayne3506
left a comment
jpayne3506
left a comment
There was a problem hiding this comment.
need to run go mod tidy and update workflows as well.
Once all image changes are complete we should use /azp run to run NPM + CNI Release Test pipelines
| FILE_EXT='' | ||
|
|
||
| export CGO_ENABLED=0 | ||
| export GOEXPERIMENT=systemcrypto |
Contributor
There was a problem hiding this comment.
wrong goexperiment for CGO = 0
Contributor
Author
There was a problem hiding this comment.
This is actually correct for Go 1.26 with the MS Go fork. Unlike the old boringcrypto experiment (which required CGO), systemcrypto uses dlopen at runtime to load system crypto libraries — it works with CGO_ENABLED=0.
From the MS Go FIPS User Guide:
Go 1.26 introduces GOEXPERIMENT=systemcrypto which dynamically loads system crypto libraries via dlopen. This does not require CGO at build time.
The tradeoff is that the runtime image must have crypto libs available (hence the distroless/base migration in PR #4369 — base includes libcrypto vs minimal/scratch which do not).
Also ran go mod tidy and bumped tools.go.mod to 1.26 as requested. All CI workflows already use go-version-file: go.mod so they will automatically pick up the new version.
Contributor
Author
There was a problem hiding this comment.
This has been corrected. cilium-log-collector is the only component that retains GOEXPERIMENT=systemcrypto because it builds with CGO_ENABLED=1 and -buildmode=c-shared. It produces a .so shared library(out_azure_app_insights.so) that Fluent Bit loads as a plugin at runtime. The C-shared build mode inherently requires CGO, so the systemcrypto experiment works as intended here — thebinary will dlopen the system's FIPS-validated crypto library.
behzad-mir
force-pushed
the
behzadm/fips-base-image-migration
branch
from
d5e33a7 to
f10c036
Compare
Contributor
Author
|
Addressed review feedback:
Ready for |
jpayne3506
reviewed
May 11, 2026
| sigs.k8s.io/controller-tools/cmd/controller-gen | ||
| ) | ||
|
|
||
| require ( |
Contributor
There was a problem hiding this comment.
Looks like go 1.26 has a hidden change to go mod tidy, TLDR stricter checks/validation on require( ) directive in conjunction with module github.com/Azure/azure-container-networking .
Original intent for tools.go.mod was to move tool usage out of our root go.mod to help with dependency maintenance and module downloads. Keeping it at the root level was to ensure there was visibility on it.... Went back and forth on how to move forward.. Only good solution to this to ensure that we don't bring in other dependencies that the repo is dependent on is to move this into its own directory... I think /tools-go is a good name, but will go with what you think is best.
Contributor
There was a problem hiding this comment.
Here is a commit that covers the change(s)
Contributor
Author
There was a problem hiding this comment.
Moved tools.go.mod → tools-go/go.mod with a distinct module path. This solves the Go 1.26 go mod tidy issue because the tools module is now a separate module
| module github.com/Azure/azure-container-networking | ||
|
|
||
| go 1.24.1 | ||
| go 1.26 |
Contributor
There was a problem hiding this comment.
we should specify patch version .1 otherwise it defaults to .0.
.0 should be seen as a pre-release version with .1 being the first true stable version for a minor.
Contributor
Author
There was a problem hiding this comment.
updated go.mod from go 1.26 to go 1.26.1
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
Upgrade Go toolchain from 1.24 to 1.26 across all build configurations. Go 1.26 enforces FIPS-compliant system crypto for Microsoft compliance. Changes: - build/images.mk: GO_IMG 1.24 → 1.26-azurelinux3.0 - go.mod: go 1.24.1 → go 1.26 - install-go.sh: DEFAULT_IMAGE updated to Go 1.26 azurelinux3.0 SHA - bpf-prog/ipv6-hp-bpf/linux.Dockerfile: updated to Go 1.26 MCR SHA - npm/linux.Dockerfile, npm/windows.Dockerfile: 1.25.5 → 1.26 - .devcontainer/Dockerfile: VARIANT 1.24 → 1.26 - Regenerated all template Dockerfiles via make dockerfiles SHAs: - azurelinux3.0: sha256:eb3ce814e96f3319f1b5985021021682b47975f6decfe00eaac84abff0ae25c9 - MCR golang:1.26: sha256:6c27ae470941ef215b3eea86fcd6632a7ab975f391e5a75f546d3a76fd686705 Resolves #4365 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update tools.go.mod Go directive from 1.24.1 to 1.26 - Run go mod tidy on both go.mod and tools.go.mod - All CI workflows use go-version-file: go.mod (no hardcoded versions) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…to 1.26.1 - Move tools.go.mod to tools-go/go.mod with own module path - Update all Makefile and script references to tools-go/go.mod - Remove GOEXPERIMENT=systemcrypto from CGO_ENABLED=0 scripts and Dockerfiles - Bump go directive from 1.26 to 1.26.1 per reviewer feedback - Run go mod tidy on both root and tools-go modules Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
behzad-mir
force-pushed
the
behzadm/go-1.26-bump
branch
from
8887f75 to
ebfba40
Compare
behzad-mir
requested review from
a team,
QxBytes,
camrynl and
santhoshmprabhu
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Upgrades the repository’s Go toolchain and build images to Go 1.26 (go directive 1.26.1) to align with the FIPS/system-crypto requirements, and updates repo tooling to use the new tools-go/ modfile layout.
Changes:
- Bumped root Go version to 1.26.1 and updated toolchain module (
tools-go/) accordingly. - Updated builder Dockerfiles and pipeline Go-install logic to use Go 1.26 image references/digests.
- Enabled
GOEXPERIMENT=systemcryptoforcilium-log-collectorbuild paths.
Reviewed changes
Copilot reviewed 26 out of 28 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tools-go/go.sum | Adds the dependency checksum set for the dedicated tools module. |
| tools-go/go.mod | Converts tooling into a dedicated tools-go module, updates Go version, refreshes tool deps. |
| scripts/install-protoc.sh | Switches -modfile usage to tools-go/go.mod for installing protoc plugins. |
| platform/Makefile | Points mockgen invocation at tools-go/go.mod. |
| npm/windows.Dockerfile | Bumps Go builder image to 1.26 for Windows NPM build. |
| npm/pkg/dataplane/Makefile | Points mockgen invocation at tools-go/go.mod. |
| npm/linux.Dockerfile | Bumps Go builder image to 1.26 for Linux NPM build. |
| Makefile | Updates the canonical tools modfile path to tools-go/go.mod. |
| go.mod | Updates root module Go version to 1.26.1. |
| crd/overlayextensionconfig/Makefile | Points controller-gen invocation at tools-go/go.mod. |
| crd/nodenetworkconfig/Makefile | Points controller-gen invocation at tools-go/go.mod. |
| crd/multitenantnetworkcontainer/Makefile | Points controller-gen invocation at tools-go/go.mod. |
| crd/multitenancy/Makefile | Points controller-gen invocation at tools-go/go.mod. |
| crd/clustersubnetstate/Makefile | Points controller-gen invocation at tools-go/go.mod. |
| cns/multitenantcontroller/mockclients/Makefile | Points mockgen invocation at tools-go/go.mod. |
| cns/Dockerfile | Updates Go builder stage to 1.26 azurelinux3.0 digest. |
| cni/Dockerfile | Updates Go builder stage to 1.26 azurelinux3.0 digest. |
| cilium-log-collector/Dockerfile.tmpl | Adds GOEXPERIMENT=systemcrypto to the Go build stage template. |
| cilium-log-collector/Dockerfile | Regenerated Dockerfile to Go 1.26 digest + GOEXPERIMENT=systemcrypto. |
| build/images.mk | Bumps GO_IMG source tag to 1.26-azurelinux3.0. |
| bpf-prog/ipv6-hp-bpf/linux.Dockerfile | Updates Go builder stage to 1.26 digest for the BPF build. |
| azure-iptables-monitor/Dockerfile | Updates Go builder stage to 1.26 azurelinux3.0 digest. |
| azure-ipam/Dockerfile | Updates Go builder stage to 1.26 azurelinux3.0 digest. |
| azure-ip-masq-merger/Dockerfile | Updates Go builder stage to 1.26 azurelinux3.0 digest. |
| .pipelines/build/scripts/install-go.sh | Updates fallback msft-go image digest to 1.26 azurelinux3.0. |
| .pipelines/build/scripts/cilium-log-collector.sh | Exports GOEXPERIMENT=systemcrypto for the cilium-log-collector pipeline build. |
| .devcontainer/Dockerfile | Bumps devcontainer Go variant to 1.26. |
Go 1.26 enables systemcrypto by default, which requires CGO on Linux (uses dlopen for OpenSSL). Since all ACN components except cilium-log-collector build with CGO_ENABLED=0, they need the experimental ms_nocgo_opensslcrypto backend that calls OpenSSL without requiring cgo. - Pipeline scripts: export GOEXPERIMENT=ms_nocgo_opensslcrypto (Linux only) - Dockerfile templates: ENV GOEXPERIMENT=ms_nocgo_opensslcrypto - Makefile: ACN_GOEXPERIMENT variable for binary build targets - cilium-log-collector: explicitly uses CGO_ENABLED=1 + systemcrypto Reference: https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#usage-common-configurations Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Address Copilot review comments: - install-go.sh: update skopeo hint comment from 1.24 to 1.26 and refresh the DEFAULT_IMAGE digest to the latest 1.26-azurelinux3.0 - npm/linux.Dockerfile: pin builder image to sha256 digest - npm/windows.Dockerfile: pin builder image to sha256 digest Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+35
to
+39
| # Go 1.26 on Linux: systemcrypto (default) requires CGO; use nocgo OpenSSL backend for CGO_ENABLED=0 builds | ||
| # Only applied to binary build targets, not tooling (renderkit, mockgen, etc.) | ||
| ifneq ($(GOOS),windows) | ||
| ACN_GOEXPERIMENT := ms_nocgo_opensslcrypto | ||
| endif |
Comment on lines
+21
to
24
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| WORKDIR /azure-container-networking | ||
| COPY . . | ||
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/azure-cns -ldflags "-s -w -X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" cns/service/*.go |
Comment on lines
+19
to
22
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| WORKDIR /azure-container-networking | ||
| COPY . . | ||
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/azure-vnet -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/plugin/main.go |
Comment on lines
+47
to
50
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| RUN go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION | ||
| WORKDIR /go/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION | ||
| COPY --from=compressor /payload/* pkg/embed/fs/ |
Comment on lines
+17
to
20
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| WORKDIR /azure-ipam | ||
| COPY ./azure-ipam . | ||
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/azure-ipam -trimpath -ldflags "-s -w -X main.version="$VERSION" -X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" . |
Comment on lines
18
to
22
| ARG CNI_AI_ID | ||
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| WORKDIR /azure-container-networking | ||
| COPY . . | ||
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/azure-vnet -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/plugin/main.go |
Comment on lines
+47
to
50
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| RUN go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION | ||
| WORKDIR /go/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION | ||
| COPY --from=compressor /payload/* pkg/embed/fs/ |
Comment on lines
15
to
20
| ARG OS | ||
| ARG VERSION | ||
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| WORKDIR /azure-ipam | ||
| COPY ./azure-ipam . | ||
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/azure-ipam -trimpath -ldflags "-s -w -X main.version="$VERSION" -X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" . |
Comment on lines
+34
to
37
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| RUN go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION | ||
| WORKDIR /go/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION | ||
| COPY --from=compressor /payload/* pkg/embed/fs/ |
Comment on lines
10
to
15
| ARG OS | ||
| ARG VERSION | ||
| ENV GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
| WORKDIR /azure-ip-masq-merger | ||
| COPY ./azure-ip-masq-merger . | ||
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/ip-masq-merger -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 42 out of 44 changed files in this pull request and generated 16 comments.
Comments suppressed due to low confidence (1)
tools-go/go.mod:6
- This comment suggests using
-modfile=tools-go/go.mod, buttools-gois now a separate module in a subdirectory. If tooling is meant to be invoked from that module, the more reliable pattern isgo -C tools-go …(orcd tools-go) rather than-modfilefrom the repo root. Otherwise, readers may follow this and hit-modfilepath restrictions.
Comment on lines
1
to
+2
| REPO_ROOT = $(shell git rev-parse --show-toplevel) | ||
| MOCKGEN = go tool -modfile=$(REPO_ROOT)/tools.go.mod mockgen | ||
| MOCKGEN = go tool -modfile=$(REPO_ROOT)/tools-go/go.mod mockgen |
Comment on lines
1
to
+2
| REPO_ROOT = $(shell git rev-parse --show-toplevel) | ||
| MOCKGEN = go tool -modfile=$(REPO_ROOT)/tools.go.mod mockgen | ||
| MOCKGEN = go tool -modfile=$(REPO_ROOT)/tools-go/go.mod mockgen |
Comment on lines
1
to
+2
| REPO_ROOT = $(shell git rev-parse --show-toplevel) | ||
| MOCKGEN = go tool -modfile=$(REPO_ROOT)/tools.go.mod mockgen | ||
| MOCKGEN = go tool -modfile=$(REPO_ROOT)/tools-go/go.mod mockgen |
Comment on lines
3
to
+4
| REPO_ROOT = $(shell git rev-parse --show-toplevel) | ||
| CONTROLLER_GEN = go tool -modfile=$(REPO_ROOT)/tools.go.mod controller-gen | ||
| CONTROLLER_GEN = go tool -modfile=$(REPO_ROOT)/tools-go/go.mod controller-gen |
Comment on lines
3
to
+4
| REPO_ROOT = $(shell git rev-parse --show-toplevel) | ||
| CONTROLLER_GEN = go tool -modfile=$(REPO_ROOT)/tools.go.mod controller-gen | ||
| CONTROLLER_GEN = go tool -modfile=$(REPO_ROOT)/tools-go/go.mod controller-gen |
Comment on lines
7
to
10
| export CGO_ENABLED=0 | ||
| # Go 1.26 Linux-only: use nocgo OpenSSL backend (systemcrypto default requires CGO) | ||
| export GOEXPERIMENT=ms_nocgo_opensslcrypto | ||
|
|
Comment on lines
13
to
+15
| # To update the fallback, run: | ||
| # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24-azurelinux3.0 --format "{{.Name}}@{{.Digest}}" | ||
| DEFAULT_IMAGE="mcr.microsoft.com/oss/go/microsoft/golang@sha256:3999f970bb52b7413ef9be2803173d4fd7f1f3c59362a98a0c78d155e3a0e59f" | ||
| # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.26-azurelinux3.0 --format "{{.Name}}@{{.Digest}}" | ||
| DEFAULT_IMAGE="mcr.microsoft.com/oss/go/microsoft/golang@sha256:5f95bf70f4c437de4a6ba1f72ef1532f69fca392c131fff2172993cabbea359c" |
Comment on lines
32
to
36
| # install protoc-gen-go | ||
| if [ ! -f ${GOPATH}/bin/protoc-gen-go ]; then | ||
| echo "Installing protoc-gen-go" | ||
| go install -modfile=${REPO_ROOT}/tools.go.mod github.com/golang/protobuf/protoc-gen-go | ||
| go install -modfile=${REPO_ROOT}/tools-go/go.mod github.com/golang/protobuf/protoc-gen-go | ||
| else |
Comment on lines
40
to
44
| # install protoc-gen-go-grpc | ||
| if [ ! -f ${GOPATH}/bin/protoc-gen-go-grpc ]; then | ||
| echo "Installing protoc-gen-go-grpc" | ||
| go install -modfile=${REPO_ROOT}/tools.go.mod google.golang.org/grpc/cmd/protoc-gen-go-grpc | ||
| go install -modfile=${REPO_ROOT}/tools-go/go.mod google.golang.org/grpc/cmd/protoc-gen-go-grpc | ||
| else |
Comment on lines
1
to
+3
| module github.com/Azure/azure-container-networking | ||
|
|
||
| go 1.24.1 | ||
| go 1.26.1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrade Go toolchain from 1.24 to 1.26 across all build configurations. Go 1.26 enforces FIPS-compliant system crypto for Microsoft compliance.
Changes
Source of truth
build/images.mk:GO_IMG→1.26-azurelinux3.0go.mod:go 1.24.1→go 1.26Manual (non-template) files
.pipelines/build/scripts/install-go.sh:DEFAULT_IMAGEupdated to Go 1.26 azurelinux3.0 SHAbpf-prog/ipv6-hp-bpf/linux.Dockerfile: updated to Go 1.26 MCR SHAnpm/linux.Dockerfile,npm/windows.Dockerfile:1.25.5→1.26.devcontainer/Dockerfile:VARIANT1.24→1.26Auto-regenerated via
make dockerfilesAll template Dockerfiles updated with new Go 1.26 SHA.
SHAs
sha256:eb3ce814e96f3319f1b5985021021682b47975f6decfe00eaac84abff0ae25c9sha256:6c27ae470941ef215b3eea86fcd6632a7ab975f391e5a75f546d3a76fd686705Testing
docker run --rm mcr.microsoft.com/oss/go/microsoft/golang@sha256:eb3ce814... go versionconfirms Go 1.26Resolves #4365
Depends on #4369