Ignore lint issues for deprecated Pool.Subjects()

- https://github.com/golang/go/blob/4aa1efed4853ea067d665a952eee77c52faac774/src/crypto/x509/cert_pool.go#L243-L244

cmd/pinniped/cmd/kubeconfig.go

@@ -720,6 +720,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf
 func countCACerts(pemData []byte) int {
 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(pemData)
+	//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 	return len(pool.Subjects())
 }
 

internal/certauthority/certauthority_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package certauthority
@@ -206,6 +206,7 @@ func TestPool(t *testing.T) {
 	require.NoError(t, err)
 
 	pool := ca.Pool()
+	//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 	require.Len(t, pool.Subjects(), 1)
 }
 

internal/dynamiccert/provider_test.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package dynamiccert
@@ -41,6 +41,7 @@ func TestProviderWithDynamicServingCertificateController(t *testing.T) {
 				cert, err := tls.X509KeyPair(certPEM, keyPEM)
 				require.NoError(t, err)
 
+				//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 				return pool.Subjects(), []tls.Certificate{cert}
 			},
 		},
@@ -69,6 +70,7 @@ func TestProviderWithDynamicServingCertificateController(t *testing.T) {
 
 				certKey.UnsetCertKeyContent()
 
+				//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 				return pool.Subjects(), []tls.Certificate{cert}
 			},
 		},
@@ -87,6 +89,7 @@ func TestProviderWithDynamicServingCertificateController(t *testing.T) {
 				cert, err := tls.X509KeyPair(certPEM, keyPEM)
 				require.NoError(t, err)
 
+				//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 				return newCA.Pool().Subjects(), []tls.Certificate{cert}
 			},
 		},
@@ -110,6 +113,7 @@ func TestProviderWithDynamicServingCertificateController(t *testing.T) {
 				ok := pool.AppendCertsFromPEM(ca.CurrentCABundleContent())
 				require.True(t, ok, "should have valid non-empty CA bundle")
 
+				//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 				return pool.Subjects(), []tls.Certificate{cert}
 			},
 		},
@@ -137,6 +141,7 @@ func TestProviderWithDynamicServingCertificateController(t *testing.T) {
 				err = ca.SetCertKeyContent(newOtherCA.Bundle(), caKey)
 				require.NoError(t, err)
 
+				//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 				return newOtherCA.Pool().Subjects(), []tls.Certificate{cert}
 			},
 		},
@@ -221,6 +226,7 @@ func poolSubjects(pool *x509.CertPool) [][]byte {
 	if pool == nil {
 		return nil
 	}
+	//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 	return pool.Subjects()
 }
 

internal/kubeclient/kubeclient_test.go

@@ -949,6 +949,7 @@ func TestUnwrap(t *testing.T) {
 
 	server, restConfig := fakekubeapi.Start(t, nil)
 
+	//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 	serverSubjects := server.Client().Transport.(*http.Transport).TLSClientConfig.RootCAs.Subjects()
 
 	t.Run("regular client", func(t *testing.T) {
@@ -1089,6 +1090,7 @@ func testUnwrap(t *testing.T, client *Client, serverSubjects [][]byte) {
 			require.Equal(t, secureTLSConfig.NextProtos, tlsConfig.NextProtos)
 
 			// x509.CertPool has some embedded functions that make it hard to compare so just look at the subjects
+			//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 			require.Equal(t, serverSubjects, tlsConfig.RootCAs.Subjects())
 		})
 	}