go.mod: update osbuild/images to v0.174.0

Also update the minimum required osbuild version by the osbuild/images library. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2025-08-11 13:40:51 +02:00 · 2025-08-11 13:40:51 +02:00 · 74d2edb772
commit 74d2edb772
parent 3d0110f14e
110 changed files with 1218 additions and 1104 deletions
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
@ -1,5 +1,11 @@
 # Release History

+## 1.18.2 (2025-07-31)
+
+### Bugs Fixed
+
+* Fixed a case in which `BearerTokenPolicy` didn't ensure an authentication error is non-retriable
+
 ## 1.18.1 (2025-07-10)

 ### Bugs Fixed
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
@ -40,5 +40,5 @@ const (
 	Module = "azcore"

 	// Version is the semantic version (see http://semver.org) of this module.
-	Version = "v1.18.1"
+	Version = "v1.18.2"
 )
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go
@ -97,7 +97,9 @@ func (b *BearerTokenPolicy) authenticateAndAuthorize(req *policy.Request) func(p
 		as := acquiringResourceState{p: b, req: req, tro: tro}
 		tk, err := b.mainResource.Get(as)
 		if err != nil {
-			return err
+			// consider this error non-retriable because if it could be resolved by
+			// retrying authentication, the credential would have done so already
+			return errorinfo.NonRetriableError(err)
 		}
 		req.Raw().Header.Set(shared.HeaderAuthorization, shared.BearerTokenPrefix+tk.Token)
 		return nil
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@ -1,5 +1,23 @@
 # Release History

+## 1.11.0 (2025-08-05)
+
+### Other Changes
+- `DefaultAzureCredential` tries its next credential when a dev tool credential such as
+  `AzureCLICredential` returns an error
+
+## 1.11.0-beta.1 (2025-07-15)
+
+### Features Added
+- `DefaultAzureCredential` allows selecting one of its credential types by name via environment variable
+  `AZURE_TOKEN_CREDENTIALS`. It will use only the selected type at runtime. For example, set
+  `AZURE_TOKEN_CREDENTIALS=WorkloadIdentityCredential` to have `DefaultAzureCredential` use only
+  `WorkloadIdentityCredential`.
+
+### Other Changes
+- By default, `ManagedIdentityCredential` retries IMDS requests for a maximum of ~70 seconds as recommended
+  in IMDS documentation. In previous versions, it would stop retrying after ~54 seconds by default.
+
 ## 1.10.1 (2025-06-10)

 ### Bugs Fixed
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@ -86,6 +86,7 @@ azlog.SetEvents(azidentity.EventAuthentication)
 |"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
 |Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>|
 |"managed identity timed out"|`DefaultAzureCredential` sets a short timeout on its first managed identity authentication attempt to prevent very long timeouts during local development when no managed identity is available. That timeout causes this error in production when an application requests a token before the hosting environment is ready to provide one.|Use [ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential) directly, at least in production. It doesn't set a timeout on its authentication attempts.|
+|invalid AZURE_TOKEN_CREDENTIALS value "..."|AZURE_TOKEN_CREDENTIALS has an unexpected value|Specify a valid value as described in [DefaultAzureCredential documentation](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential)

 ## Troubleshoot EnvironmentCredential authentication issues

--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
@ -43,4 +43,4 @@ extends:
            Selection: sparse
        MatrixReplace:
          - Pool=.*LINUXPOOL.*/azsdk-pool-mms-ubuntu-2204-identitymsi
-          - OSVmImage=.*LINUXNEXTVMIMAGE.*/azsdk-pool-mms-ubuntu-2204-1espt
+          - OSVmImage=.*LINUXVMIMAGE.*/azsdk-pool-mms-ubuntu-2204-1espt
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
@ -19,6 +19,15 @@ import (

 const azureTokenCredentials = "AZURE_TOKEN_CREDENTIALS"

+// bit flags NewDefaultAzureCredential uses to parse AZURE_TOKEN_CREDENTIALS
+const (
+	env = uint8(1) << iota
+	workloadIdentity
+	managedIdentity
+	az
+	azd
+)
+
 // DefaultAzureCredentialOptions contains optional parameters for DefaultAzureCredential.
 // These options may not apply to all credentials in the chain.
 type DefaultAzureCredentialOptions struct {
@ -63,6 +72,16 @@ type DefaultAzureCredentialOptions struct {
 // Once a credential has successfully authenticated, DefaultAzureCredential will use that credential for
 // every subsequent authentication.
 //
+// # Selecting credentials
+//
+// Set environment variable AZURE_TOKEN_CREDENTIALS to select a subset of the credential chain described above.
+// DefaultAzureCredential will try only the specified credential(s), but its other behavior remains the same.
+// Valid values for AZURE_TOKEN_CREDENTIALS are the name of any single type in the above chain, for example
+// "EnvironmentCredential" or "AzureCLICredential", and these special values:
+//
+//   - "dev": try [AzureCLICredential] and [AzureDeveloperCLICredential], in that order
+//   - "prod": try [EnvironmentCredential], [WorkloadIdentityCredential], and [ManagedIdentityCredential], in that order
+//
 // [DefaultAzureCredential overview]: https://aka.ms/azsdk/go/identity/credential-chains#defaultazurecredential-overview
 type DefaultAzureCredential struct {
 	chain *ChainedTokenCredential
@ -71,19 +90,29 @@ type DefaultAzureCredential struct {
 // NewDefaultAzureCredential creates a DefaultAzureCredential. Pass nil for options to accept defaults.
 func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*DefaultAzureCredential, error) {
 	var (
-		creds                   []azcore.TokenCredential
-		errorMessages           []string
-		includeDev, includeProd = true, true
+		creds         []azcore.TokenCredential
+		errorMessages []string
+		selected      = env | workloadIdentity | managedIdentity | az | azd
 	)

-	if c, ok := os.LookupEnv(azureTokenCredentials); ok {
-		switch c {
-		case "dev":
-			includeProd = false
-		case "prod":
-			includeDev = false
+	if atc, ok := os.LookupEnv(azureTokenCredentials); ok {
+		switch {
+		case atc == "dev":
+			selected = az | azd
+		case atc == "prod":
+			selected = env | workloadIdentity | managedIdentity
+		case strings.EqualFold(atc, credNameEnvironment):
+			selected = env
+		case strings.EqualFold(atc, credNameWorkloadIdentity):
+			selected = workloadIdentity
+		case strings.EqualFold(atc, credNameManagedIdentity):
+			selected = managedIdentity
+		case strings.EqualFold(atc, credNameAzureCLI):
+			selected = az
+		case strings.EqualFold(atc, credNameAzureDeveloperCLI):
+			selected = azd
 		default:
-			return nil, fmt.Errorf(`invalid %s value %q. Valid values are "dev" and "prod"`, azureTokenCredentials, c)
+			return nil, fmt.Errorf(`invalid %s value %q. Valid values are "dev", "prod", or the name of any credential type in the default chain. See https://aka.ms/azsdk/go/identity/docs#DefaultAzureCredential for more information`, azureTokenCredentials, atc)
 		}
 	}

@ -96,8 +125,7 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 			additionalTenants = strings.Split(tenants, ";")
 		}
 	}
-
-	if includeProd {
+	if selected&env != 0 {
 		envCred, err := NewEnvironmentCredential(&EnvironmentCredentialOptions{
 			ClientOptions:              options.ClientOptions,
 			DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
@ -107,9 +135,10 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 			creds = append(creds, envCred)
 		} else {
 			errorMessages = append(errorMessages, "EnvironmentCredential: "+err.Error())
-			creds = append(creds, &defaultCredentialErrorReporter{credType: "EnvironmentCredential", err: err})
+			creds = append(creds, &defaultCredentialErrorReporter{credType: credNameEnvironment, err: err})
 		}
-
+	}
+	if selected&workloadIdentity != 0 {
 		wic, err := NewWorkloadIdentityCredential(&WorkloadIdentityCredentialOptions{
 			AdditionallyAllowedTenants: additionalTenants,
 			ClientOptions:              options.ClientOptions,
@ -122,7 +151,8 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 			errorMessages = append(errorMessages, credNameWorkloadIdentity+": "+err.Error())
 			creds = append(creds, &defaultCredentialErrorReporter{credType: credNameWorkloadIdentity, err: err})
 		}
-
+	}
+	if selected&managedIdentity != 0 {
 		o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions, dac: true}
 		if ID, ok := os.LookupEnv(azureClientID); ok {
 			o.ID = ClientID(ID)
@ -135,18 +165,24 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 			creds = append(creds, &defaultCredentialErrorReporter{credType: credNameManagedIdentity, err: err})
 		}
 	}
-	if includeDev {
-		azCred, err := NewAzureCLICredential(&AzureCLICredentialOptions{AdditionallyAllowedTenants: additionalTenants, TenantID: options.TenantID})
+	if selected&az != 0 {
+		azCred, err := NewAzureCLICredential(&AzureCLICredentialOptions{
+			AdditionallyAllowedTenants: additionalTenants,
+			TenantID:                   options.TenantID,
+			inDefaultChain:             true,
+		})
 		if err == nil {
 			creds = append(creds, azCred)
 		} else {
 			errorMessages = append(errorMessages, credNameAzureCLI+": "+err.Error())
 			creds = append(creds, &defaultCredentialErrorReporter{credType: credNameAzureCLI, err: err})
 		}
-
+	}
+	if selected&azd != 0 {
 		azdCred, err := NewAzureDeveloperCLICredential(&AzureDeveloperCLICredentialOptions{
 			AdditionallyAllowedTenants: additionalTenants,
 			TenantID:                   options.TenantID,
+			inDefaultChain:             true,
 		})
 		if err == nil {
 			creds = append(creds, azdCred)
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
@ -18,7 +18,10 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
 )

-const envVarSendCertChain = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN"
+const (
+	credNameEnvironment = "EnvironmentCredential"
+	envVarSendCertChain = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN"
+)

 // EnvironmentCredentialOptions contains optional parameters for EnvironmentCredential
 type EnvironmentCredentialOptions struct {
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed-identity-matrix.json
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed-identity-matrix.json
@ -4,7 +4,7 @@
            "Agent": {
                "msi_image": {
                    "ArmTemplateParameters": "@{deployResources = $true}",
-                    "OSVmImage": "env:LINUXNEXTVMIMAGE",
+                    "OSVmImage": "env:LINUXVMIMAGE",
                    "Pool": "env:LINUXPOOL"
                }
            },
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
@ -54,10 +54,10 @@ type managedIdentityClient struct {
 // setIMDSRetryOptionDefaults sets zero-valued fields to default values appropriate for IMDS
 func setIMDSRetryOptionDefaults(o *policy.RetryOptions) {
 	if o.MaxRetries == 0 {
-		o.MaxRetries = 5
+		o.MaxRetries = 6
 	}
 	if o.MaxRetryDelay == 0 {
-		o.MaxRetryDelay = 1 * time.Minute
+		o.MaxRetryDelay = 25 * time.Second
 	}
 	if o.RetryDelay == 0 {
 		o.RetryDelay = 2 * time.Second
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-post.ps1
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-post.ps1
@ -100,7 +100,7 @@ $idName = $DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_NAME']
 $issuer = az aks show -g $rg -n $aksName --query "oidcIssuerProfile.issuerUrl" -otsv
 $podName = "azidentity-test"
 $serviceAccountName = "workload-identity-sa"
-az identity federated-credential create -g $rg --identity-name $idName --issuer $issuer --name $idName --subject system:serviceaccount:default:$serviceAccountName
+az identity federated-credential create -g $rg --identity-name $idName --issuer $issuer --name $idName --subject system:serviceaccount:default:$serviceAccountName --audiences api://AzureADTokenExchange
 Write-Host "Deploying to AKS"
 az aks get-credentials -g $rg -n $aksName
 az aks update --attach-acr $DeploymentOutputs['AZIDENTITY_ACR_NAME'] -g $rg -n $aksName
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@ -14,5 +14,5 @@ const (
 	module = "github.com/Azure/azure-sdk-for-go/sdk/" + component

 	// Version is the semantic version (see http://semver.org) of this module.
-	version = "v1.10.1"
+	version = "v1.11.0"
 )
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo/errorinfo.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo/errorinfo.go
@ -6,6 +6,8 @@

 package errorinfo

+import "errors"
+
 // NonRetriable represents a non-transient error.  This works in
 // conjunction with the retry policy, indicating that the error condition
 // is idempotent, so no retries will be attempted.
@ -15,10 +17,14 @@ type NonRetriable interface {
 	NonRetriable()
 }

-// NonRetriableError marks the specified error as non-retriable.
-// This function takes an error as input and returns a new error that is marked as non-retriable.
+// NonRetriableError ensures the specified error is [NonRetriable]. If
+// the error is already [NonRetriable], it returns that error unchanged.
+// Otherwise, it returns a new, [NonRetriable] error.
 func NonRetriableError(err error) error {
-	return &nonRetriableError{err}
+	if !errors.As(err, new(NonRetriable)) {
+		err = &nonRetriableError{err}
+	}
+	return err
 }

 // nonRetriableError is a struct that embeds the error interface.