envoyproxy · arkodg · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
@@ -170,43 +170,43 @@ func patchTopologyInjectorWebhook(ctx context.Context, cli client.Client, cfg *c
 }
 
 // outputCertsForLocal outputs the provided certs to the local directory as files.
-func outputCertsForLocal(localPath string, certs *crypto.Certificates) (err error) {
+func outputCertsForLocal(localPath string, certs *crypto.Certificates) error {
 	egDir := path.Join(localPath, "envoy-gateway")
-	if err = file.WriteDir(certs.CACertificate, egDir, "ca.crt"); err != nil {
+	if err := file.WriteDir(certs.CACertificate, egDir, "ca.crt"); err != nil {
 		return err
 	}
-	if err = file.WriteDir(certs.EnvoyGatewayCertificate, egDir, "tls.crt"); err != nil {
+	if err := file.WriteDir(certs.EnvoyGatewayCertificate, egDir, "tls.crt"); err != nil {
 		return err
 	}
-	if err = file.WriteDir(certs.EnvoyGatewayPrivateKey, egDir, "tls.key"); err != nil {
+	if err := file.WriteDir(certs.EnvoyGatewayPrivateKey, egDir, "tls.key"); err != nil {
 		return err
 	}
 
 	envoyDir := path.Join(localPath, "envoy")
-	if err = file.WriteDir(certs.CACertificate, envoyDir, "ca.crt"); err != nil {
+	if err := file.WriteDir(certs.CACertificate, envoyDir, "ca.crt"); err != nil {
 		return err
 	}
-	if err = file.WriteDir(certs.EnvoyCertificate, envoyDir, "tls.crt"); err != nil {
+	if err := file.WriteDir(certs.EnvoyCertificate, envoyDir, "tls.crt"); err != nil {
 		return err
 	}
-	if err = file.WriteDir(certs.EnvoyPrivateKey, envoyDir, "tls.key"); err != nil {
+	if err := file.WriteDir(certs.EnvoyPrivateKey, envoyDir, "tls.key"); err != nil {
 		return err
 	}
 
 	rlDir := path.Join(localPath, "envoy-rate-limit")
-	if err = file.WriteDir(certs.CACertificate, rlDir, "ca.crt"); err != nil {
+	if err := file.WriteDir(certs.CACertificate, rlDir, "ca.crt"); err != nil {
 		return err
 	}
-	if err = file.WriteDir(certs.EnvoyRateLimitCertificate, rlDir, "tls.crt"); err != nil {
+	if err := file.WriteDir(certs.EnvoyRateLimitCertificate, rlDir, "tls.crt"); err != nil {
 		return err
 	}
-	if err = file.WriteDir(certs.EnvoyRateLimitPrivateKey, rlDir, "tls.key"); err != nil {
+	if err := file.WriteDir(certs.EnvoyRateLimitPrivateKey, rlDir, "tls.key"); err != nil {
 		return err
 	}
 
-	if err = file.WriteDir(certs.OIDCHMACSecret, path.Join(localPath, "envoy-oidc-hmac"), "hmac-secret"); err != nil {
+	if err := file.WriteDir(certs.OIDCHMACSecret, path.Join(localPath, "envoy-oidc-hmac"), "hmac-secret"); err != nil {
 		return err
 	}
 
-	return
+	return nil
 }
@@ -175,12 +175,12 @@ func (fw *fileWatcher) findWorker(path string) (*workerState, string, error) {
 	return ws, cleanedPath, nil
 }
 
-func getPath(path string) (cleanedPath, parentPath string) {
-	cleanedPath = filepath.Clean(path)
-	parentPath, _ = filepath.Split(cleanedPath)
+func getPath(path string) (string, string) {
+	cleanedPath := filepath.Clean(path)
+	parentPath, _ := filepath.Split(cleanedPath)
 	if f, err := os.Lstat(cleanedPath); err == nil && f.IsDir() {
 		parentPath = cleanedPath
 	}
 
-	return
+	return cleanedPath, parentPath
 }
@@ -78,7 +78,7 @@ func (r *Runner) Name() string {
 }
 
 // Start starts the gateway-api translator runner
-func (r *Runner) Start(ctx context.Context) (err error) {
+func (r *Runner) Start(ctx context.Context) error {
 	r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name())
 
 	go r.startWasmCache(ctx)
@@ -88,7 +88,7 @@ func (r *Runner) Start(ctx context.Context) (err error) {
 
 	go r.subscribeAndTranslate(c)
 	r.Logger.Info("started")
-	return
+	return nil
 }
 
 func (r *Runner) startWasmCache(ctx context.Context) {
@@ -362,18 +362,19 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re
 	r.Logger.Info("shutting down")
 }
 
-func (r *Runner) loadTLSConfig(ctx context.Context) (tlsConfig *tls.Config, salt []byte, err error) {
+func (r *Runner) loadTLSConfig(ctx context.Context) (*tls.Config, []byte, error) {
 	switch {
 	case r.EnvoyGateway.Provider.IsRunningOnKubernetes():
-		salt, err = hmac(ctx, r.ControllerNamespace)
+		salt, err := hmac(ctx, r.ControllerNamespace)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to get hmac secret: %w", err)
 		}
 
-		tlsConfig, err = crypto.LoadTLSConfig(serveTLSCertFilepath, serveTLSKeyFilepath, serveTLSCaFilepath)
+		tlsConfig, err := crypto.LoadTLSConfig(serveTLSCertFilepath, serveTLSKeyFilepath, serveTLSCaFilepath)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create tls config: %w", err)
 		}
+		return tlsConfig, salt, nil
 
 	case r.EnvoyGateway.Provider.IsRunningOnHost():
 		// Get config
@@ -390,7 +391,7 @@ func (r *Runner) loadTLSConfig(ctx context.Context) (tlsConfig *tls.Config, salt
 
 		// Read HMAC secret
 		hmacPath := filepath.Join(paths.CertDir("envoy-oidc-hmac"), "hmac-secret")
-		salt, err = os.ReadFile(hmacPath)
+		salt, err := os.ReadFile(hmacPath)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to get hmac secret: %w", err)
 		}
@@ -400,15 +401,15 @@ func (r *Runner) loadTLSConfig(ctx context.Context) (tlsConfig *tls.Config, salt
 		keyPath := filepath.Join(certDir, "tls.key")
 		caPath := filepath.Join(certDir, "ca.crt")
 
-		tlsConfig, err = crypto.LoadTLSConfig(certPath, keyPath, caPath)
+		tlsConfig, err := crypto.LoadTLSConfig(certPath, keyPath, caPath)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create tls config: %w", err)
 		}
+		return tlsConfig, salt, nil
 
 	default:
 		return nil, nil, fmt.Errorf("no valid tls certificates")
 	}
-	return
 }
 
 func unstructuredToPolicyStatus(policyStatus map[string]any) gwapiv1.PolicyStatus {
@@ -684,7 +685,7 @@ func (r *Runner) deleteKeys(kc *KeyCache) {
 
 // hmac returns the HMAC secret generated by the CertGen job.
 // hmac will be used as a hash salt to generate unguessable downloading paths for Wasm modules.
-func hmac(ctx context.Context, namespace string) (hmac []byte, err error) {
+func hmac(ctx context.Context, namespace string) ([]byte, error) {
 	// Get the HMAC secret.
 	// HMAC secret is generated by the CertGen job and stored in a secret
 	cfg, err := ctrl.GetConfig()
@@ -707,5 +708,5 @@ func hmac(ctx context.Context, namespace string) (hmac []byte, err error) {
 		return nil, fmt.Errorf(
 			"HMAC secret not found in secret %s/%s", namespace, hmacSecretName)
 	}
-	return
+	return hmac, err
 }
@@ -171,7 +171,7 @@ func TestUpdateGatewayStatusProgrammedCondition(t *testing.T) {
 					for i := 0; i < 20; i++ {
 						addr.IPv4 = append(addr.IPv4, strconv.Itoa(i))
 					}
-					return
+					return addr
 				}(),
 				svc: &corev1.Service{
 					TypeMeta:   metav1.TypeMeta{},
@@ -192,7 +192,7 @@ func TestUpdateGatewayStatusProgrammedCondition(t *testing.T) {
 						Value: strconv.Itoa(i),
 					})
 				}
-				return
+				return addr
 			}(),
 		},
 		{

@@ -347,7 +347,7 @@ func (t *Translator) GetRelevantGateways(resources *resource.Resources) (
 			status.SetGatewayClassAccepted(resources.GatewayClass,
 				false, string(gwapiv1.GatewayClassReasonInvalidParameters),
 				fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err))
-			return
+			return acceptedGateways, failedGateways
 		}
 
 		// TODO: remove this nil check after we update all the testdata.
@@ -413,7 +413,7 @@ func (t *Translator) GetRelevantGateways(resources *resource.Resources) (
 		gCtx.ResetListeners(resources, envoyproxyMap)
 		acceptedGateways = append(acceptedGateways, gCtx)
 	}
-	return
+	return acceptedGateways, failedGateways
 }
 
 func validateEnvoyProxy(ep *egv1a1.EnvoyProxy) error {

@@ -72,7 +72,7 @@ func New(cfg *Config) *Runner {
 }
 
 // Start starts the infrastructure runner
-func (r *Runner) Start(ctx context.Context) (err error) {
+func (r *Runner) Start(ctx context.Context) error {
 	r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name())
 
 	// Set up the gRPC server and register the xDS handler.
@@ -101,7 +101,7 @@ func (r *Runner) Start(ctx context.Context) (err error) {
 	go r.translateFromSubscription(ctx, c)
 
 	r.Logger.Info("started")
-	return
+	return err
 }
 
 func (r *Runner) serveXdsConfigServer(ctx context.Context) {
@@ -211,7 +211,7 @@ func (r *Runner) addNewSnapshot(ctx context.Context, resource types.XdsResources
 	return nil
 }
 
-func (r *Runner) loadTLSConfig() (tlsConfig *tls.Config, err error) {
+func (r *Runner) loadTLSConfig() (*tls.Config, error) {
 	var certPath, keyPath, caPath string
 
 	switch {
@@ -240,9 +240,9 @@ func (r *Runner) loadTLSConfig() (tlsConfig *tls.Config, err error) {
 		return nil, fmt.Errorf("no valid tls certificates")
 	}
 
-	tlsConfig, err = crypto.LoadTLSConfig(certPath, keyPath, caPath)
+	tlsConfig, err := crypto.LoadTLSConfig(certPath, keyPath, caPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create tls config: %w", err)
 	}
-	return
+	return tlsConfig, err
 }
@@ -99,7 +99,7 @@ func (r *Runner) Start(ctx context.Context) (err error) {
 		// Since leader election is disabled subscribe to infraIR to initialize the infrastructure and Close when the context is done.
 		go subscribeInitInfraAndCloseInfraIRMessage()
 	}
-	return
+	return err
 }
 
 func (r *Runner) updateProxyInfraFromSubscription(ctx context.Context, sub <-chan watchable.Snapshot[string, *ir.Infra]) {

@@ -188,5 +188,5 @@ func (c *client) PodExec(namespacedName types.NamespacedName, container, command
 
 	stdout = stdoutBuf.String()
 	stderr = stderrBuf.String()
-	return
+	return stdout, stderr, err
 }
@@ -87,17 +87,16 @@ func (r *Runner) createKubernetesProvider(ctx context.Context) (*kubernetes.Prov
 	return p, err
 }
 
-func (r *Runner) createCustomResourceProvider(ctx context.Context) (p provider.Provider, err error) {
+func (r *Runner) createCustomResourceProvider(ctx context.Context) (provider.Provider, error) {
 	switch r.EnvoyGateway.Provider.Custom.Resource.Type {
 	case egv1a1.ResourceProviderTypeFile:
-		p, err = file.New(ctx, &r.Server, r.ProviderResources)
+		p, err := file.New(ctx, &r.Server, r.ProviderResources)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create provider %s: %w", egv1a1.ProviderTypeCustom, err)
 		}
+		return p, err
 
 	default:
 		return nil, fmt.Errorf("unsupported resource provider type")
 	}
-
-	return
 }
@@ -26,8 +26,8 @@ func ValidateOutputPath(outputPath string) (string, error) {
 }
 
 // ListDirsAndFiles return a list of directories and files from a list of paths recursively.
-func ListDirsAndFiles(paths []string) (dirs, files sets.Set[string]) {
-	dirs, files = sets.New[string](), sets.New[string]()
+func ListDirsAndFiles(paths []string) (sets.Set[string], sets.Set[string]) {
+	dirs, files := sets.New[string](), sets.New[string]()
 	// Separate paths by whether is a directory or not.
 	paths = sets.NewString(paths...).UnsortedList()
 	for _, path := range paths {
@@ -54,7 +54,7 @@ func ListDirsAndFiles(paths []string) (dirs, files sets.Set[string]) {
 	}
 	files.Delete(ignoreFiles...)
 
-	return
+	return dirs, files
 }
 
 // GetParentDirs returns all the parent directories of given files.

@@ -803,7 +803,7 @@ func TestWasmCache(t *testing.T) {
 	}
 }
 
-func setupOCIRegistry(t *testing.T, host string) (dockerImageDigest, invalidOCIImageDigest string) {
+func setupOCIRegistry(t *testing.T, host string) (string, string) {
 	// Push *compat* variant docker image (others are well tested in imagefetcher's test and the behavior is consistent).
 	ref := fmt.Sprintf("%s/test/valid/docker:v0.1.0", host)
 	binary := wasmHeader
@@ -845,7 +845,7 @@ func setupOCIRegistry(t *testing.T, host string) (dockerImageDigest, invalidOCII
 
 	// Calculate sum
 	d, _ := img.Digest()
-	dockerImageDigest = d.Hex
+	dockerImageDigest := d.Hex
 
 	// Finally push the invalid image.
 	ref = fmt.Sprintf("%s/test/invalid", host)
@@ -862,14 +862,14 @@ func setupOCIRegistry(t *testing.T, host string) (dockerImageDigest, invalidOCII
 	img2 = mutate.MediaType(img2, types.OCIManifestSchema1)
 
 	d, _ = img2.Digest()
-	invalidOCIImageDigest = d.Hex
+	invalidOCIImageDigest := d.Hex
 
 	// Push image to the registry.
 	err = crane.Push(img2, ref, fetchOpt)
 	if err != nil {
 		t.Fatal(err)
 	}
-	return
+	return dockerImageDigest, invalidOCIImageDigest
 }
 
 func TestWasmCachePolicyChangesUsingHTTP(t *testing.T) {

@@ -96,11 +96,11 @@ func NewImageFetcher(ctx context.Context, opt ImageFetcherOption, logger logging
 // PrepareFetch is the entrypoint for fetching Wasm binary from Wasm Image Specification compatible images.
 // Wasm binary is not fetched immediately, but returned by `binaryFetcher` function, which is returned by PrepareFetch.
 // By this way, we can have another chance to check cache with `actualDigest` without downloading the OCI image.
-func (o *ImageFetcher) PrepareFetch(url string) (binaryFetcher func() ([]byte, error), actualDigest string, err error) {
+func (o *ImageFetcher) PrepareFetch(url string) (func() ([]byte, error), string, error) {
 	ref, err := name.ParseReference(url)
 	if err != nil {
 		err = fmt.Errorf("could not parse url in image reference: %w", err)
-		return
+		return nil, "", err
 	}
 	o.logger.Info("fetching image", "image", ref.Context().RepositoryStr(),
 		"registry", ref.Context().RegistryStr(), "tag", ref.Identifier())
@@ -118,20 +118,20 @@ func (o *ImageFetcher) PrepareFetch(url string) (binaryFetcher func() ([]byte, e
 
 	if err != nil {
 		err = fmt.Errorf("could not fetch manifest: %w", err)
-		return
+		return nil, "", err
 	}
 
 	// Fetch image.
 	img, err := desc.Image()
 	if err != nil {
 		err = fmt.Errorf("could not fetch image: %w", err)
-		return
+		return nil, "", err
 	}
 
 	// Check Manifest's digest if expManifestDigest is not empty.
 	d, _ := img.Digest()
-	actualDigest = d.Hex
-	binaryFetcher = func() ([]byte, error) {
+	actualDigest := d.Hex
+	binaryFetcher := func() ([]byte, error) {
 		manifest, err := img.Manifest()
 		if err != nil {
 			return nil, fmt.Errorf("could not retrieve manifest: %w", err)
@@ -168,7 +168,7 @@ func (o *ImageFetcher) PrepareFetch(url string) (binaryFetcher func() ([]byte, e
 			),
 		)
 	}
-	return
+	return binaryFetcher, actualDigest, err
 }
 
 // extractDockerImage extracts the Wasm binary from the