Fix vulnerabilities #165
Fix vulnerabilities #165
Conversation
Makefile
Outdated
| mkdir -p ${KUBEBUILDER_ASSETS} | ||
| $(SETUP_ENVTEST) use --bin-dir $(ENVTEST_ASSETS_BIN_DIR) | ||
| find $(ENVTEST_ASSETS_BIN_DIR)/ -exec cp {} $(KUBEBUILDER_ASSETS)/ \; | ||
| sudo rm -r $(ENVTEST_ASSETS_BIN_DIR) |
There was a problem hiding this comment.
I do not like this sudo. First I did not intend to add it but the github checks were failing. Using setup-envtest, the binaries are generated in <your-dir>/k8s/<version>. So I generated them in testbin/tmp/k8s/<version> them copy them to testbin/bin to then delete testbin/tmp.
There was a problem hiding this comment.
From the operator-sdk changelog, it looks like it is advising this change instead:
+# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+ENVTEST_K8S_VERSION = 1.21
test: manifests generate fmt vet envtest ## Run tests.
- go test ./... -coverprofile cover.out
+ KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
From https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.11.0/
Did you try this approach instead?
There is also a separate target to download envtest. It might be easier to create a new project with operator-sdk then compare the Makefile it generates.
There was a problem hiding this comment.
I didn't see any evidence that we applied these upgrade steps. We should apply them:
https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.11.0/#gov3-ansiblev1-helmv1-add-containerport-protocol-field-in-manifests
https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.16.0/#add-annotation-to-specify-the-default-container
https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.18.0/#support-image-digests-instead-of-tags
This upgrade was partially done:
https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.14.0/#upgrade-k8s-versions-to-use-122-golangv3
I didn't see any evidence that these ones were added
- ENVTEST_K8S_VERSION (although the version has been bumped since then)
- Replace your admissionReviewVersions={v1,v1beta1} markers with admissionReviewVersions=v1
Makefile
Outdated
| mkdir -p ${KUBEBUILDER_ASSETS} | ||
| $(SETUP_ENVTEST) use --bin-dir $(ENVTEST_ASSETS_BIN_DIR) | ||
| find $(ENVTEST_ASSETS_BIN_DIR)/ -exec cp {} $(KUBEBUILDER_ASSETS)/ \; | ||
| sudo rm -r $(ENVTEST_ASSETS_BIN_DIR) |
There was a problem hiding this comment.
From the operator-sdk changelog, it looks like it is advising this change instead:
+# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+ENVTEST_K8S_VERSION = 1.21
test: manifests generate fmt vet envtest ## Run tests.
- go test ./... -coverprofile cover.out
+ KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
From https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.11.0/
Did you try this approach instead?
There is also a separate target to download envtest. It might be easier to create a new project with operator-sdk then compare the Makefile it generates.
Makefile
Outdated
| @@ -421,7 +427,11 @@ KUBERNETES_SPLIT_YAML = $(shell pwd)/bin/kubernetes-split-yaml | |||
| kubernetes-split-yaml: ## Download kubernetes-split-yaml locally if necessary. | |||
| $(call go-get-tool,$(KUBERNETES_SPLIT_YAML),github.com/mogensen/[email protected]) | |||
|
|
|||
| # go-get-tool will 'go get' any package $2 and install it to $1. | |||
| SETUP_ENVTEST = $(shell pwd)/bin/setup-envtest | |||
There was a problem hiding this comment.
We should follow what is done in the generated Makefile. So this becomes ENVTEST = and the make target below becomes envtest.
There was a problem hiding this comment.
Yes it is definitely simpler like that. I will do that.
|
We should add a changie entry too to indicate we moved to operator-sdk version 1.18.0 |
Yes I oversimplified this upgrade. With such a big jump in version it is clear that intermediary upgrades should not be skipped. I will change that. |
Yes I will do a last commit for that once the changes will be approved. |
config/webhook/manifests.yaml
Outdated
| clientConfig: | ||
| service: | ||
| name: webhook-service | ||
| namespace: system | ||
| path: /mutate-vertica-com-v1beta1-verticadb | ||
| failurePolicy: Fail | ||
| name: mverticadb.kb.io | ||
| namespaceSelector: |
There was a problem hiding this comment.
This file is no longer generated. So, I think we still need this. This allows the webhoook to work.
There was a problem hiding this comment.
Sorry what do you mean by is no longer generated? because with controller-gen crd webhook .... it automatically generates the file you see right now. Or do you mean we should still keep the part you highlighted and prevent this file to be re-generated each time?
There was a problem hiding this comment.
We changed this file to not be generated anymore. We did this because we needed to add the namespace selector to it in order to get the webhook to work. So, I think we still need that selector added.
Makefile
Outdated
| $(call go-get-tool,$(SETUP_ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest) | ||
| ENVTEST = $(shell pwd)/bin/setup-envtest | ||
| .PHONY: envtest | ||
| envtest: ## Download envtest-setup locally if necessary. |
There was a problem hiding this comment.
The comment should be "Download setup-envtest-setup locally if necessary."
|
The changes look good. Lets create the changie entry. And I will push it sometime next week once we have upgraded Go on our internal build machines. |
|
I guess the Kind of changie is "Changed". |
| body: Move to operator-sdk v1.18.0 | ||
| time: 2022-03-04T22:15:06.6959129+01:00 | ||
| custom: | ||
| Issue: "30" |
There was a problem hiding this comment.
We should use 165 as the issue number. I typically try to link with the PR that pushed the change as that gives more context.
roypaulin
force-pushed
the
fix-vulnerabilities
branch
from
fcfa192
to
d51e4b4
Compare
This PR follows security vulnerabilities that have been detected inside operator pods.
the highlights are:
Closes #30