Bump spegel to v0.0.30

[brandond]

Proposed Changes

• Bump spegel to v0.0.30
• Modify bootstrappers to return multiple addresses instead of just one, to track with the upstream change from Change bootstrapper to allow returning multiple peers spegel-org/spegel#683.
  With this change, all nodes now register their peer address in an annotation instead of only server nodes - and new nodes will be seeded with the complete list of cluster members instead of just a single random server node.
• Modify bootstrapper.Run() to block until the context is done, as the libp2p host will now be closed as soon as that function returns: Fix p2p router close panic and add tests spegel-org/spegel#703 (comment)

Types of Changes

version bump

Verification

Check version in go.mod

Testing

yes

Linked Issues

• Bump spegel to v0.0.30 #11639

User-Facing Change

Further Comments

[codecov]

Codecov Report

Attention: Patch coverage is 11.44578% with 147 lines in your changes missing coverage. Please review.

Project coverage is 47.63%. Comparing base (3198b32) to head (7f9b61c).

Files with missing lines	Patch %	Lines
pkg/spegel/bootstrap.go	1.03%	96 Missing ⚠️
pkg/spegel/spegel.go	0.00%	36 Missing ⚠️
pkg/clientaccess/token.go	54.54%	12 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11634      +/-   ##
==========================================
- Coverage   50.02%   47.63%   -2.39%     
==========================================
  Files         185      185              
  Lines       19265    19341      +76     
==========================================
- Hits         9637     9214     -423     
- Misses       8236     8795     +559     
+ Partials     1392     1332      -60     

Flag	Coverage Δ
e2etests	40.44% <9.03%> (-3.86%)	⬇️
inttests	35.03% <11.44%> (-0.17%)	⬇️
unittests	16.98% <3.01%> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cwayne18]

/trivy

[github-actions]

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.57/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


bin/containerd-shim-runc-v2 (gobinary)
======================================
Total: 0 (HIGH: 0, CRITICAL: 0)


Suppressed Vulnerabilities (Total: 1)
=====================================
┌──────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────┬──────────────────────┐
│     Library      │ Vulnerability  │ Severity │    Status    │          Statement          │        Source        │
├──────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────┼──────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ not_affected │ vulnerable_code_not_present │ rancher.openvex.json │
└──────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────┴──────────────────────┘

bin/k3s (gobinary)
==================
Total: 0 (HIGH: 0, CRITICAL: 0)


Suppressed Vulnerabilities (Total: 2)
=====================================
┌─────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────────────┬──────────────────────┐
│       Library       │ Vulnerability  │ Severity │    Status    │              Statement              │        Source        │
├─────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────────────┼──────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ not_affected │ vulnerable_code_not_present         │ rancher.openvex.json │
├─────────────────────┼────────────────┼──────────┤              ├─────────────────────────────────────┤                      │
│ golang.org/x/net    │ CVE-2024-45338 │ HIGH     │              │ vulnerable_code_not_in_execute_path │                      │
└─────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────────────┴──────────────────────┘

bin/runc (gobinary)
===================
Total: 0 (HIGH: 0, CRITICAL: 0)


Suppressed Vulnerabilities (Total: 1)
=====================================
┌──────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────┬──────────────────────┐
│     Library      │ Vulnerability  │ Severity │    Status    │          Statement          │        Source        │
├──────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────┼──────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ not_affected │ vulnerable_code_not_present │ rancher.openvex.json │
└──────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────┴──────────────────────┘

[dereknola]

Is this program value inject internally in Spegel now?

[brandond]

This is just our route to the handler that returns the address list that is used by our custom agent bootstrapper. I missed this one when switching to {program} in the prefix for other routes in #11471