fix issues found by lint

Author: joonas-fi

pkg/erbackend/reverseproxybackend/reverseproxy.go

@@ -57,7 +57,8 @@ func NewWithModifyResponse(
 		if opts.TlsConfig != nil { // got custom TLS config?
 			return &http.Transport{
 				TLSClientConfig: &tls.Config{
-					ServerName:         opts.TlsConfig.ServerName,
+					ServerName: opts.TlsConfig.ServerName,
+					//nolint:gosec // InsecureSkipVerify intentionally configurable
 					InsecureSkipVerify: opts.TlsConfig.InsecureSkipVerify,
 				},
 			}
@@ -72,6 +73,7 @@ func NewWithModifyResponse(
 	return &httputil.ReverseProxy{
 		Transport: transport,
 		Director: func(req *http.Request) {
+			//nolint:gosec // Cryptographical randomness not required here
 			randomOriginIdx := rand.Intn(len(originUrls))
 
 			originUrl := originUrls[randomOriginIdx]

pkg/erconfig/appconfig.go

@@ -393,7 +393,9 @@ func (b *Backend) Describe() string {
 		return string(b.Kind) + ":" + b.TurbochargerOpts.Manifest.String()
 	case BackendKindAuthSso:
 		return string(b.Kind) + ":" + fmt.Sprintf("[audience=%s] -> %s", b.AuthSsoOpts.Audience, b.AuthSsoOpts.AuthorizedBackend.Describe())
-	default:
+	case BackendKindEdgerouterAdmin, BackendKindPromMetrics: // to please exhaustive lint
+		return string(b.Kind)
+	default: // should never actually arrive here
 		return string(b.Kind)
 	}
 }

pkg/erdiscovery/dockerdiscovery/docker.go

@@ -86,7 +86,9 @@ func (s *dockerDiscovery) ReadApplications(ctx context.Context) ([]erconfig.Appl
 		return nil, err
 	}
 
-	swarmServicesAndBareContainers := append(swarmServices, bareContainers...)
+	swarmServicesAndBareContainers := []Service{}
+	swarmServicesAndBareContainers = append(swarmServicesAndBareContainers, swarmServices...)
+	swarmServicesAndBareContainers = append(swarmServicesAndBareContainers, bareContainers...)
 
 	apps := []erconfig.Application{}
 

pkg/erdiscovery/s3discovery/s3discovery.go

@@ -4,7 +4,7 @@ package s3discovery
 import (
 	"bytes"
 	"context"
-	"crypto/sha1"
+	"crypto/sha1" //nolint:gosec // Not used for cryptographic purposes
 	"encoding/json"
 	"fmt"
 	"os"
@@ -62,6 +62,7 @@ func (d *s3discovery) ReadApplications(ctx context.Context) ([]erconfig.Applicat
 		return nil, fmt.Errorf("s3discovery: ListObjects: %v", err)
 	}
 
+	//nolint:gosec // Not used for cryptographic purposes
 	contentsEtagsHashBuilder := sha1.New()
 
 	for _, object := range listResponse.Contents {

pkg/erserver/hostregexp.go

@@ -28,9 +28,9 @@ func hostnameRegexpSyntaxToRegexp(in string) (*regexp.Regexp, error) {
 }
 
 func escapeRegexChars(in string) string {
-	return strings.Replace(in, ".", `\.`, -1)
+	return strings.ReplaceAll(in, ".", `\.`)
 }
 
 func unescapeRegexChars(in string) string {
-	return strings.Replace(in, `\.`, `.`, -1)
+	return strings.ReplaceAll(in, `\.`, `.`)
 }

pkg/erserver/ipfilter_test.go

@@ -40,6 +40,7 @@ allow_specified {
 `))
 	assert.Ok(t, err)
 
+	//nolint:gocritic // intentionally useless lambda, but useful as shorthand
 	ip := func(ipStr string) netaddr.IP { // shorthand
 		return netaddr.MustParseIP(ipStr)
 	}

pkg/erserver/serve.go

@@ -152,10 +152,15 @@ func Serve(ctx context.Context, logger *log.Logger) error {
 	tasks.Start("listener :443", func(ctx context.Context) error {
 		srv := &http.Server{
 			Addr: ":443",
+			// lint complains about too low MinVersion (the default, in Go sets it as TLS 1.0).
+			// purposefully leaving MinVersion as default because I feel Go stdlib's default MinVersion
+			// in the long run aligns with loadbalancer use case of conservatively having to support a wide base of users.
+			// https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls#decide-what-version-to-use
+			//
+			//nolint:gosec // rationale above
 			TLSConfig: &tls.Config{
-				// this integrates CertBus into your server - certificates are fetched
-				// dynamically from CertBus's dynamically managed state
-				GetCertificate: certBus.GetCertificateAdapter(),
+				// MinVersion: ... // purposefully unset to follow Go stdlib MinVersion
+				GetCertificate: getCertificateFn,
 			},
 			Handler: serveRequestWithMetricsCapture,
 		}