🐘 Untangle genproto / cloud.google.com/go dependencies #113366
Description
#113225 uncovered a coming snarl of dependencies between cloud.google.com/go and google.golang.org/genproto
Because several generic libraries use the cloud.google.com/go/compute/metadata package, the following chain makes it almost impossible to avoid adding all cloud.google.com/go submodules into the dependency graph for all downstream consumers:
- {golang.org/x/oauth2, google.golang.org/api, google.golang.org/grpc} --> cloud.google.com/go/compute --> cloud.google.com/go --> google.golang.org/genproto --> cloud.google.com/go/*
It's possible we can avoid the updates that expanded these cross-references in the short-term with judicious upstream changes back to older genproto versions, but we should get ahead of this if we want to avoid being forced to pull in these dependency graph increases in the future for a critical bugfix.
Recommendations
1. Isolate cloud.google.com/go/compute/metadata
The cloud.google.com/go/compute/metadata package (https://github.com/googleapis/google-cloud-go/tree/main/compute/metadata) only uses stdlib dependencies, but lives inside cloud.google.com/go/compute, which has many other references (https://github.com/googleapis/google-cloud-go/blob/main/compute/go.mod)
-
Isolate cloud.google.com/go/compute/metadata to its own zero-dependency module
- compute/metadata: make its own module googleapis/google-cloud-go#6311 / https://pkg.go.dev/cloud.google.com/go/compute/metadata
- drop backreference to
cloud.google.com/go/computefrom https://github.com/googleapis/google-cloud-go/blob/main/compute/metadata/go.mod#L5 to reach zero-dependencies - chore: re-drop weak refs to parent modules and tag googleapis/google-cloud-go#9545 - tag a release of cloud.google.com/go/compute/metadata - compute/metadata/v0.3.0
-
Sweep dependencies using cloud.google.com/go/compute/metadata and update them to use the zero-dependency alternative
- golang.org/x/oauth2 - v0.20.0+
- google.golang.org/api - v0.174.0+
- google.golang.org/grpc - v1.65.0+
- github.com/google/cadvisor (transitive via golang.org/x/oauth2, google.golang.org/api, google.golang.org/grpc)
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (transitive via golang.org/x/oauth2, google.golang.org/grpc)
2. Prune use of cloud genproto packages in non-cloud.google.com modules
- Update github.com/googleapis/gax-go/v2 test to not require the google.golang.org/genproto/googleapis/cloud/location package
3. Isolate generic genproto packages
-
make the types in the following generic packages available without dragging in all of cloud.google.com/go
- google.golang.org/genproto/googleapis/api/...
- google.golang.org/genproto/googleapis/bytestream
- google.golang.org/genproto/googleapis/rpc/...
4. Drop use of google.golang.org/genproto/protobuf/field_mask
Update to use canonical google.golang.org/protobuf/types/known/fieldmaskpb package instead
- google.golang.org/genproto
- cloud.google.com/go
- github.com/grpc-ecosystem/grpc-gateway/v2
- github.com/grpc-ecosystem/grpc-gateway
- Mark grpc-gateway v1 as an unwanted dependency #118119
- etcd depends on two different versions of the same package -
grpc-gatewayetcd-io/etcd#14499 (used by go.etcd.io/etcd/api/v3 / go.etcd.io/etcd/server/v3)- Upgrade grpc-gateway from v1 to v2 etcd-io/etcd#16595
- etcd client release (3.6)
- update kubernetes to use etcd client 3.6+ - etcd 3.6 client update #128419
/priority important-longterm
/area code-organization
/sig architecture
/cc @dims
fyi @codyoss @bertinatto