Drop use of github.com/gorilla/mux

mux is replaced with a simple wrapper around http.ServeMux with middleware chain support

Unfortunately github.com/rootless-containers/rootlesskit/pkg/parent
still uses it so we can't drop the indirect dep yet.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Author: brandond

go.mod

@@ -101,7 +101,6 @@ require (
 	github.com/google/cadvisor v0.53.0
 	github.com/google/go-containerregistry v0.20.2
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
 	github.com/inetaf/tcpproxy v0.0.0-20240214030015-3ce58045626c
 	github.com/ipfs/go-ds-leveldb v0.5.0
@@ -299,6 +298,7 @@ require (
 	github.com/google/go-tpm v0.9.6 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0 // indirect

pkg/agent/https/https.go

@@ -5,10 +5,10 @@ import (
 	"strconv"
 	"sync"
 
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/server/auth"
 	"github.com/k3s-io/k3s/pkg/util"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/options"
 )
@@ -25,7 +25,7 @@ var err error
 // Subsequent calls will return the same router.
 func Start(ctx context.Context, nodeConfig *config.Node, runtime *config.ControlRuntime) (*mux.Router, error) {
 	once.Do(func() {
-		router = mux.NewRouter().SkipClean(true)
+		router = mux.NewRouter()
 		config := &server.Config{}
 
 		if runtime == nil {

pkg/cli/agent/agent.go

@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"sync"
 
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/agent"
 	"github.com/k3s-io/k3s/pkg/agent/https"
 	"github.com/k3s-io/k3s/pkg/cli/cmds"
@@ -20,6 +19,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/spegel"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/errors"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/k3s-io/k3s/pkg/vpn"

pkg/cli/server/server.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	systemd "github.com/coreos/go-systemd/v22/daemon"
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/agent"
 	"github.com/k3s-io/k3s/pkg/agent/https"
 	"github.com/k3s-io/k3s/pkg/agent/loadbalancer"
@@ -30,6 +29,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/spegel"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/errors"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/k3s-io/k3s/pkg/vpn"

pkg/cluster/managed.go

@@ -13,11 +13,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/cluster/managed"
 	"github.com/k3s-io/k3s/pkg/etcd"
 	"github.com/k3s-io/k3s/pkg/nodepassword"
 	"github.com/k3s-io/k3s/pkg/util"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/sirupsen/logrus"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -144,10 +144,10 @@ func (c *Cluster) deleteNodePasswdSecret(ctx context.Context) {
 
 // handlerNoEtcd wraps a handler with an error message indicating that etcd is not deployed.
 func handlerNoEtcd(handler http.Handler) http.Handler {
-	r := mux.NewRouter().SkipClean(true)
+	r := mux.NewRouter()
 
 	// Wildcard route for anything after /db/
-	r.HandleFunc("/db/{_:.*}", func(resp http.ResponseWriter, r *http.Request) {
+	r.HandleFunc("/db/", func(resp http.ResponseWriter, r *http.Request) {
 		util.SendError(errors.New("etcd datastore disabled"), resp, r, http.StatusBadRequest)
 	})
 

pkg/etcd/etcd.go

@@ -19,7 +19,6 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/clientaccess"
 	"github.com/k3s-io/k3s/pkg/cluster/managed"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
@@ -31,6 +30,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/signals"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/errors"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/k3s-io/k3s/pkg/version"
 	kine "github.com/k3s-io/kine/pkg/app"
 	"github.com/k3s-io/kine/pkg/client"
@@ -744,16 +744,16 @@ func (e *ETCD) setName(force bool) error {
 
 // handler wraps the handler with routes for database info
 func (e *ETCD) handler(next http.Handler) http.Handler {
-	r := mux.NewRouter().SkipClean(true)
+	r := mux.NewRouter()
 	r.NotFoundHandler = next
 
-	ir := r.Path("/db/info").Subrouter()
+	ir := r.SubRouter("/db/info")
 	ir.Use(auth.IsLocalOrHasRole(e.config, version.Program+":server"))
-	ir.Handle("", e.infoHandler())
+	ir.Handle("/", e.infoHandler())
 
-	sr := r.Path("/db/snapshot").Subrouter()
+	sr := r.SubRouter("/db/snapshot")
 	sr.Use(auth.HasRole(e.config, version.Program+":server"))
-	sr.Handle("", e.snapshotHandler())
+	sr.Handle("/", e.snapshotHandler())
 
 	return r
 }

pkg/etcd/s3/s3_test.go

@@ -14,10 +14,10 @@ import (
 	"text/template"
 	"time"
 
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/etcd/snapshot"
 	"github.com/k3s-io/k3s/pkg/util"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/k3s-io/k3s/tests/mock"
 	"github.com/rancher/dynamiclistener/cert"
 	"github.com/rancher/wrangler/v3/pkg/generated/controllers/core"
@@ -1554,65 +1554,72 @@ func s3Router(t *testing.T) http.Handler {
 	// badbucket returns 404 for all requests
 	// authbucket returns 200 for HeadBucket, 403 for all others
 	// others return 200 for objects with name prefix snapshot, 404 for all others
-	router := mux.NewRouter().SkipClean(true)
+	router := mux.NewRouter()
 	// HeadBucket
-	router.Path("/{bucket}/").Methods(http.MethodHead).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		if vars["bucket"] == "badbucket" {
-			rw.WriteHeader(http.StatusNotFound)
-		}
-	})
 	// ListObjectsV2
-	router.Path("/{bucket}/").Methods(http.MethodGet).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
-		case "badbucket":
-			rw.WriteHeader(http.StatusNotFound)
-		case "authbucket":
-			rw.WriteHeader(http.StatusForbidden)
-		default:
-			prefix := r.URL.Query().Get("prefix")
-			filtered := []object{}
-			for _, object := range objects {
-				if strings.HasPrefix(object.Key, prefix) {
-					filtered = append(filtered, object)
-				}
+	router.HandleFunc("GET /{bucket}/{$}", func(rw http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodHead:
+			if r.PathValue("bucket") == "badbucket" {
+				rw.WriteHeader(http.StatusNotFound)
 			}
-			if err := listResponse.Execute(rw, bucket{Name: vars["bucket"], Prefix: prefix, Objects: filtered}); err != nil {
-				t.Errorf("Failed to generate ListObjectsV2 response, error = %v", err)
-				rw.WriteHeader(http.StatusInternalServerError)
+		case http.MethodGet:
+			switch r.PathValue("bucket") {
+			case "badbucket":
+				rw.WriteHeader(http.StatusNotFound)
+			case "authbucket":
+				rw.WriteHeader(http.StatusForbidden)
+			default:
+				prefix := r.URL.Query().Get("prefix")
+				filtered := []object{}
+				for _, object := range objects {
+					if strings.HasPrefix(object.Key, prefix) {
+						filtered = append(filtered, object)
+					}
+				}
+				if err := listResponse.Execute(rw, bucket{Name: r.PathValue("bucket"), Prefix: prefix, Objects: filtered}); err != nil {
+					t.Errorf("Failed to generate ListObjectsV2 response, error = %v", err)
+					rw.WriteHeader(http.StatusInternalServerError)
+				}
 			}
 		}
 	})
-	// HeadObject - snapshot
-	router.Path("/{bucket}/{prefix:.*}snapshot-{snapshot}").Methods(http.MethodHead).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
-		case "badbucket":
-			rw.WriteHeader(http.StatusNotFound)
-		case "authbucket":
-			rw.WriteHeader(http.StatusForbidden)
-		default:
-			rw.Header().Add("last-modified", time.Now().In(gmt).Format(time.RFC1123))
-		}
-	})
-	// GetObject - snapshot
-	router.Path("/{bucket}/{prefix:.*}snapshot-{snapshot}").Methods(http.MethodGet).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
-		case "badbucket":
-			rw.WriteHeader(http.StatusNotFound)
-		case "authbucket":
-			rw.WriteHeader(http.StatusForbidden)
-		default:
-			rw.Header().Add("last-modified", time.Now().In(gmt).Format(time.RFC1123))
-			rw.Write([]byte("test snapshot file\n"))
+	// HeadObject
+	// GetObject
+	router.HandleFunc("GET /{bucket}/{object...}", func(rw http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodHead:
+			switch r.PathValue("bucket") {
+			case "badbucket":
+				rw.WriteHeader(http.StatusNotFound)
+			case "authbucket":
+				rw.WriteHeader(http.StatusForbidden)
+			default:
+				if strings.Contains(r.PathValue("object"), "bad") {
+					rw.WriteHeader(http.StatusNotFound)
+				} else {
+					rw.Header().Add("last-modified", time.Now().In(gmt).Format(time.RFC1123))
+				}
+			}
+		case http.MethodGet:
+			switch r.PathValue("bucket") {
+			case "badbucket":
+				rw.WriteHeader(http.StatusNotFound)
+			case "authbucket":
+				rw.WriteHeader(http.StatusForbidden)
+			default:
+				if strings.Contains(r.PathValue("object"), "bad") {
+					rw.WriteHeader(http.StatusNotFound)
+				} else {
+					rw.Header().Add("last-modified", time.Now().In(gmt).Format(time.RFC1123))
+					rw.Write([]byte("test snapshot file\n"))
+				}
+			}
 		}
 	})
-	// PutObject/DeleteObject - snapshot
-	router.Path("/{bucket}/{prefix:.*}snapshot-{snapshot}").Methods(http.MethodPut, http.MethodDelete).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
+	// PutObject
+	router.HandleFunc("PUT /{bucket}/{object...}", func(rw http.ResponseWriter, r *http.Request) {
+		switch r.PathValue("bucket") {
 		case "badbucket":
 			rw.WriteHeader(http.StatusNotFound)
 		case "authbucket":
@@ -1623,45 +1630,27 @@ func s3Router(t *testing.T) http.Handler {
 			}
 		}
 	})
-	// HeadObject - snapshot metadata
-	router.Path("/{bucket}/{prefix:.*}.metadata/snapshot-{snapshot}").Methods(http.MethodHead).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
-		case "badbucket":
-			rw.WriteHeader(http.StatusNotFound)
-		case "authbucket":
-			rw.WriteHeader(http.StatusForbidden)
-		default:
-			rw.Header().Add("last-modified", time.Now().In(gmt).Format(time.RFC1123))
-		}
-	})
-	// GetObject - snapshot metadata
-	router.Path("/{bucket}/{prefix:.*}.metadata/snapshot-{snapshot}").Methods(http.MethodGet).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
-		case "badbucket":
-			rw.WriteHeader(http.StatusNotFound)
-		case "authbucket":
-			rw.WriteHeader(http.StatusForbidden)
-		default:
-			rw.Header().Add("last-modified", time.Now().In(gmt).Format(time.RFC1123))
-			rw.Write([]byte("test snapshot metadata\n"))
-		}
-	})
-	// PutObject/DeleteObject - snapshot metadata
-	router.Path("/{bucket}/{prefix:.*}.metadata/snapshot-{snapshot}").Methods(http.MethodPut, http.MethodDelete).HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		switch vars["bucket"] {
+	// DeleteObject
+	router.HandleFunc("DELETE /{bucket}/{object...}", func(rw http.ResponseWriter, r *http.Request) {
+		switch r.PathValue("bucket") {
 		case "badbucket":
 			rw.WriteHeader(http.StatusNotFound)
 		case "authbucket":
 			rw.WriteHeader(http.StatusForbidden)
 		default:
 			if r.Method == http.MethodDelete {
-				rw.WriteHeader(http.StatusNoContent)
+				if strings.Contains(r.PathValue("object"), "bad") {
+					rw.WriteHeader(http.StatusNotFound)
+				} else {
+					rw.WriteHeader(http.StatusNoContent)
+				}
 			}
 		}
 	})
+	router.NotFoundHandler = http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		logrus.Errorf("Failed to match %q", r.URL)
+		rw.WriteHeader(http.StatusInternalServerError)
+	})
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		scheme := "http"
 		if r.TLS != nil {

pkg/etcd/snapshot_handler.go

@@ -12,6 +12,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/errors"
 	"github.com/sirupsen/logrus"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 type SnapshotOperation string
@@ -178,7 +179,7 @@ func (e *ETCD) withRequest(sr *SnapshotRequest) *ETCD {
 // getSnapshotRequest unmarshalls the snapshot operation request from a client.
 func getSnapshotRequest(req *http.Request) (*SnapshotRequest, error) {
 	if req.Method != http.MethodPost {
-		return nil, http.ErrNotSupported
+		return nil, apierrors.NewMethodNotSupported(k3s.Resource("snapshot"), req.Method)
 	}
 	sr := &SnapshotRequest{}
 	b, err := io.ReadAll(req.Body)

pkg/metrics/metrics.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"errors"
 
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/agent/https"
 	"github.com/k3s-io/k3s/pkg/agent/loadbalancer"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/etcd/snapshotmetrics"
+	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	lassometrics "github.com/rancher/lasso/pkg/metrics"
 	rdmetrics "github.com/rancher/remotedialer/metrics"

pkg/nodepassword/validate.go

@@ -10,10 +10,10 @@ import (
 	"sync"
 	"time"
 
-	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/errors"
+	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -105,13 +105,12 @@ func getNodeInfo(req *http.Request) (*nodeInfo, error) {
 		return nil, errors.New("auth user not set")
 	}
 
-	program := mux.Vars(req)["program"]
-	nodeName := req.Header.Get(program + "-Node-Name")
+	nodeName := req.Header.Get(version.Program + "-Node-Name")
 	if nodeName == "" {
 		return nil, errors.New("node name not set")
 	}
 
-	nodePassword := req.Header.Get(program + "-Node-Password")
+	nodePassword := req.Header.Get(version.Program + "-Node-Password")
 	if nodePassword == "" {
 		return nil, errors.New("node password not set")
 	}