Merge branch 'release/v0.14.2' into main

CHANGELOG.md

@@ -6,6 +6,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.14.2] - 2023-09-20
+### Changed
+- [#38] updated go dependencies
+- [#38] updated kube-rbac-proxy
+
+### Fixed
+- [#38] deprecation warning for argument `logtostderr` in kube-rbac-proxy
+
+### Removed
+- [#38] deprecated argument `logtostderr` from kube-rbac-proxy
+
 ## [v0.14.1] - 2023-09-15
 ### Fixed
 - [#42] Set default-value for STAGE environment-variable to "production"

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20.3 AS builder
+FROM golang:1.21 AS builder
 
 WORKDIR /workspace
 
@@ -31,7 +31,7 @@ RUN make compile-generic
 FROM gcr.io/distroless/static:nonroot
 LABEL maintainer="[email protected]" \
       NAME="k8s-service-discovery" \
-      VERSION="0.14.1"
+      VERSION="0.14.2"
 
 WORKDIR /
 

Jenkinsfile

@@ -1,6 +1,6 @@
 #!groovy
 
-@Library(['github.com/cloudogu/ces-build-lib@1.65.0'])
+@Library(['github.com/cloudogu/ces-build-lib@1.67.0'])
 import com.cloudogu.ces.cesbuildlib.*
 
 // Creating necessary git objects
@@ -12,7 +12,7 @@ github = new GitHub(this, git)
 changelog = new Changelog(this)
 Docker docker = new Docker(this)
 gpg = new Gpg(this, docker)
-goVersion = "1.20"
+goVersion = "1.21"
 makefile = new Makefile(this)
 
 // Configuration of repository

Makefile

@@ -1,12 +1,12 @@
 # Set these to the desired values
 ARTIFACT_ID=k8s-service-discovery
-VERSION=0.14.1
+VERSION=0.14.2
 
 ## Image URL to use all building/pushing image targets
 IMAGE_DEV=${K3CES_REGISTRY_URL_PREFIX}/${ARTIFACT_ID}:${VERSION}
 IMAGE=cloudogu/${ARTIFACT_ID}:${VERSION}
-GOTAG?=1.20.3
-MAKEFILES_VERSION=8.0.0
+GOTAG?=1.21
+MAKEFILES_VERSION=8.3.0
 LINT_VERSION?=v1.52.1
 
 ADDITIONAL_CLEAN=dist-clean

build/make/bats/Dockerfile

@@ -4,4 +4,4 @@ ARG BATS_TAG
 FROM ${BATS_BASE_IMAGE}:${BATS_TAG}
 
 # Make bash more findable by scripts and tests
-RUN apk add make git bash
+RUN apk add make git bash

build/make/k8s-component.mk

@@ -15,7 +15,6 @@ K8S_HELM_TARGET ?= $(K8S_RESOURCE_TEMP_FOLDER)/helm
 K8S_HELM_RESSOURCES ?= k8s/helm
 K8S_HELM_RELEASE_TGZ=${K8S_HELM_TARGET}/${ARTIFACT_ID}-${VERSION}.tgz
 K8S_HELM_DEV_RELEASE_TGZ=${K8S_HELM_TARGET}/${ARTIFACT_ID}-${DEV_VERSION}.tgz
-K8S_HELM_TARGET_DEP_DIR=charts
 K8S_HELM_ARTIFACT_NAMESPACE?=k8s
 
 K8S_RESOURCE_COMPONENT ?= "${K8S_RESOURCE_TEMP_FOLDER}/component-${ARTIFACT_ID}-${VERSION}.yaml"
@@ -33,14 +32,15 @@ helm-init-chart: ${BINARY_HELM} ## Creates a Chart.yaml-template with zero value
 	@sed -i 's/version: .*/version: 0.0.0-replaceme/' ${K8S_HELM_RESSOURCES}/Chart.yaml
 
 .PHONY: helm-generate-chart
-helm-generate-chart: k8s-generate ${K8S_HELM_TARGET}/Chart.yaml helm-create-dependencies ## Generates the final helm chart.
+helm-generate-chart: k8s-generate ${K8S_HELM_TARGET}/Chart.yaml ## Generates the final helm chart.
 
 .PHONY: ${K8S_HELM_TARGET}/Chart.yaml
 ${K8S_HELM_TARGET}/Chart.yaml: $(K8S_RESOURCE_TEMP_FOLDER) k8s-generate
 	@echo "Generate helm chart..."
 	@rm -drf ${K8S_HELM_TARGET}  # delete folder, so the chart is newly created.
 	@mkdir -p ${K8S_HELM_TARGET}/templates
 	@cp $(K8S_RESOURCE_TEMP_YAML) ${K8S_HELM_TARGET}/templates
+	@sed -i "s/'{{ .Namespace }}'/'{{ .Release.Namespace }}'/" ${K8S_HELM_TARGET}/templates/$(ARTIFACT_ID)_$(VERSION).yaml
 	@cp -r ${K8S_HELM_RESSOURCES}/** ${K8S_HELM_TARGET}
 	@if [[ ${STAGE} == "development" ]]; then \
   	  sed -i 's/appVersion: "0.0.0-replaceme"/appVersion: '$(DEV_VERSION)'/' ${K8S_HELM_TARGET}/Chart.yaml; \
@@ -99,16 +99,6 @@ ${K8S_HELM_RELEASE_TGZ}: ${BINARY_HELM} ${K8S_HELM_TARGET}/templates/$(ARTIFACT_
 	@echo "Package generated helm chart"
 	@${BINARY_HELM} package ${K8S_HELM_TARGET} -d ${K8S_HELM_TARGET} ${BINARY_HELM_ADDITIONAL_PACK_ARGS}
 
-.PHONY: helm-create-dependencies
-helm-create-dependencies: ${BINARY_YQ} ${K8S_HELM_TARGET}/Chart.yaml
-# we use helm dependencies internally but never use them as "official" dependency because the namespace may differ
-# instead we create empty dependencies to satisfy the helm package call and delete the whole directory from the chart.tgz later-on.
-	@echo "Create helm temp dependencies (if they exist)"
-	@for dep in `${BINARY_YQ} -e '.dependencies[].name // ""' ${K8S_HELM_TARGET}/Chart.yaml`; do \
-		mkdir -p ${K8S_HELM_TARGET}/${K8S_HELM_TARGET_DEP_DIR}/$${dep} ; \
-		sed "s|replaceme|$${dep}|g" $(BUILD_DIR)/make/k8s-helm-dependency.tpl > ${K8S_HELM_TARGET}/${K8S_HELM_TARGET_DEP_DIR}/$${dep}/Chart.yaml ; \
-	done
-
 ${BINARY_HELM}: $(UTILITY_BIN_PATH) ## Download helm locally if necessary.
 	$(call go-get-tool,$(BINARY_HELM),helm.sh/helm/v3/cmd/helm@${BINARY_HELM_VERSION})
 

build/make/k8s-controller.mk

@@ -18,12 +18,6 @@ include $(WORKDIR)/build/make/k8s-component.mk
 
 ## Variables
 
-# Setting SHELL to bash allows bash commands to be executed by recipes.
-# This is a requirement for 'setup-envtest.sh' in the test target.
-# Options are set to exit when a recipe line exits non-zero or a piped command fails.
-SHELL = /usr/bin/env bash -o pipefail
-.SHELLFLAGS = -ec
-
 # make sure to create a statically linked binary otherwise it may quit with
 # "exec user process caused: no such file or directory"
 GO_BUILD_FLAGS=-mod=vendor -a -tags netgo,osusergo $(LDFLAGS) -o $(BINARY)

build/make/k8s.mk

@@ -6,11 +6,19 @@ endif
 
 ## Variables
 
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
 BINARY_YQ = $(UTILITY_BIN_PATH)/yq
 
 # The productive tag of the image
 IMAGE ?=
 
+# Set production as default stage. Use "development" as stage in your .env file to generate artifacts
+# with development images pointing to K3S_CLUSTER_FQDN.
+STAGE?=production
 K3S_CLUSTER_FQDN?=k3ces.local
 K3S_LOCAL_REGISTRY_PORT?=30099
 K3CES_REGISTRY_URL_PREFIX="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}"
@@ -66,7 +74,6 @@ K8S_PRE_GENERATE_TARGETS ?= k8s-create-temporary-resource
 .PHONY: k8s-generate
 k8s-generate: ${BINARY_YQ} $(K8S_RESOURCE_TEMP_FOLDER) $(K8S_PRE_GENERATE_TARGETS) ## Generates the final resource yaml.
 	@echo "Applying general transformations..."
-	@sed -i "s/'{{ .Namespace }}'/$(NAMESPACE)/" $(K8S_RESOURCE_TEMP_YAML)
 	@if [[ ${STAGE} == "development" ]]; then \
 	  $(BINARY_YQ) -i e "(select(.kind == \"Deployment\").spec.template.spec.containers[]|select(.image == \"*$(ARTIFACT_ID)*\").image)=\"$(IMAGE_DEV)\"" $(K8S_RESOURCE_TEMP_YAML); \
 	else \
@@ -77,6 +84,7 @@ k8s-generate: ${BINARY_YQ} $(K8S_RESOURCE_TEMP_FOLDER) $(K8S_PRE_GENERATE_TARGET
 .PHONY: k8s-apply
 k8s-apply: k8s-generate image-import $(K8S_POST_GENERATE_TARGETS) ## Applies all generated K8s resources to the current cluster and namespace.
 	@echo "Apply generated K8s resources..."
+	@sed -i "s/'{{ .Namespace }}'/$(NAMESPACE)/" $(K8S_RESOURCE_TEMP_YAML)
 	@kubectl apply -f $(K8S_RESOURCE_TEMP_YAML) --namespace=${NAMESPACE}
 
 ##@ K8s - Docker
@@ -119,5 +127,8 @@ __check_defined = \
     $(if $(value $1),, \
       $(error Undefined $1$(if $2, ($2))))
 
+.PHONY: install-yq ## Installs the yq YAML editor.
+install-yq: ${BINARY_YQ}
+
 ${BINARY_YQ}: $(UTILITY_BIN_PATH) ## Download yq locally if necessary.
 	$(call go-get-tool,$(BINARY_YQ),github.com/mikefarah/yq/[email protected])

build/make/release.mk

@@ -8,4 +8,8 @@ dogu-release: ## Start a dogu release
 
 .PHONY: go-release
 go-release: ## Start a go tool release
-	build/make/release.sh go-tool
+	build/make/release.sh go-tool
+
+.PHONY: dogu-cve-release
+dogu-cve-release: ## Start a dogu release of a new build if the local build fixes critical CVEs
+	@bash -c "build/make/release_cve.sh \"${REGISTRY_USERNAME}\" \"${REGISTRY_PASSWORD}\" \"${TRIVY_IMAGE_SCAN_FLAGS}\" \"${DRY_RUN}\""

build/make/release.sh

@@ -15,7 +15,7 @@ sourceCustomReleaseArgs() {
   if [[ -f "${RELEASE_ARGS_FILE}" ]]; then
     echo "Using custom release args file ${RELEASE_ARGS_FILE}"
 
-    sourceCustomReleaseExitCode=0
+    local sourceCustomReleaseExitCode=0
     # shellcheck disable=SC1090
     source "${RELEASE_ARGS_FILE}" || sourceCustomReleaseExitCode=$?
     if [[ ${sourceCustomReleaseExitCode} -ne 0 ]]; then
@@ -30,13 +30,16 @@ RELEASE_ARGS_FILE="${PROJECT_DIR}/release_args.sh"
 
 sourceCustomReleaseArgs "${RELEASE_ARGS_FILE}"
 
+# shellcheck disable=SC1090
 source "$(pwd)/build/make/release_functions.sh"
 
 TYPE="${1}"
+FIXED_CVE_LIST="${2:-""}"
+DRY_RUN="${3:-""}"
 
 echo "=====Starting Release process====="
 
-if [ "${TYPE}" == "dogu" ];then
+if [[ "${TYPE}" == "dogu"  || "${TYPE}" == "dogu-cve-release" ]];then
   CURRENT_TOOL_VERSION=$(get_current_version_by_dogu_json)
 else
   CURRENT_TOOL_VERSION=$(get_current_version_by_makefile)
@@ -45,10 +48,20 @@ fi
 NEW_RELEASE_VERSION="$(read_new_version)"
 
 validate_new_version "${NEW_RELEASE_VERSION}"
-start_git_flow_release "${NEW_RELEASE_VERSION}"
+if [[ -n "${DRY_RUN}" ]]; then
+  start_dry_run_release "${NEW_RELEASE_VERSION}"
+else
+  start_git_flow_release "${NEW_RELEASE_VERSION}"
+fi
+
 update_versions "${NEW_RELEASE_VERSION}"
-update_changelog "${NEW_RELEASE_VERSION}"
+update_changelog "${NEW_RELEASE_VERSION}" "${FIXED_CVE_LIST}"
 show_diff
-finish_release_and_push "${CURRENT_TOOL_VERSION}" "${NEW_RELEASE_VERSION}"
+
+if [[ -n "${DRY_RUN}" ]]; then
+  abort_dry_run_release "${NEW_RELEASE_VERSION}"
+else
+  finish_release_and_push "${CURRENT_TOOL_VERSION}" "${NEW_RELEASE_VERSION}"
+fi
 
 echo "=====Finished Release process====="

build/make/release_cve.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+set -o nounset
+
+function readCredentialsIfUnset() {
+  if [ -z "${USERNAME}" ]; then
+    echo "username is unset"
+    while [[ -z ${USERNAME} ]]; do
+      read -r -p "type username for ${REGISTRY_URL}: " USERNAME
+    done
+  fi
+  if [ -z "${PASSWORD}" ]; then
+    echo "password is unset"
+    while [[ -z ${PASSWORD} ]]; do
+      read -r -s -p "type password for ${REGISTRY_URL}: " PASSWORD
+    done
+  fi
+}
+
+function diffArrays() {
+  local cveListX=("$1")
+  local cveListY=("$2")
+  local result=()
+
+  local cveX
+  # Disable the following shellcheck because the arrays are sufficiently whitespace delimited because of the jq parsing result.
+  # shellcheck disable=SC2128
+  for cveX in ${cveListX}; do
+    local found=0
+    local cveY
+    for cveY in ${cveListY}; do
+      [[ "${cveY}" == "${cveX}" ]] && {
+        found=1
+        break
+      }
+    done
+
+    [[ "${found}" == 0 ]] && result+=("${cveX}")
+  done
+
+  echo "${result[@]}"
+}
+
+function dockerLogin() {
+  docker login "${REGISTRY_URL}" -u "${USERNAME}" -p "${PASSWORD}"
+}
+
+function dockerLogout() {
+  docker logout "${REGISTRY_URL}"
+}
+
+function nameFromDogu() {
+  jsonPropertyFromDogu ".Name"
+}
+
+function imageFromDogu() {
+  jsonPropertyFromDogu ".Image"
+}
+
+function versionFromDogu() {
+  jsonPropertyFromDogu ".Version"
+}
+
+function jsonPropertyFromDogu() {
+  local property="${1}"
+  jq -r "${property}" "${DOGU_JSON_FILE}"
+}
+
+function pullRemoteImage() {
+  docker pull "$(imageFromDogu):$(versionFromDogu)"
+}
+
+function buildLocalImage() {
+  docker build . -t "$(imageFromDogu):$(versionFromDogu)"
+}
+
+function scanImage() {
+  docker run -v "${TRIVY_CACHE_DIR}":"${TRIVY_DOCKER_CACHE_DIR}" -v /var/run/docker.sock:/var/run/docker.sock -v "${TRIVY_PATH}":/result aquasec/trivy --cache-dir "${TRIVY_DOCKER_CACHE_DIR}" -f json -o /result/results.json image ${TRIVY_IMAGE_SCAN_FLAGS:+"${TRIVY_IMAGE_SCAN_FLAGS}"} "$(imageFromDogu):$(versionFromDogu)"
+}
+
+function parseTrivyJsonResult() {
+  local severity="${1}"
+  local trivy_result_file="${2}"
+
+  # First select results which have the property "Vulnerabilities". Filter the vulnerability ids with the given severity and afterward put the values in an array.
+  # This array is used to format the values with join(" ") in a whitespace delimited string list.
+  jq -rc "[.Results[] | select(.Vulnerabilities) | .Vulnerabilities | .[] | select(.Severity == \"${severity}\") | .VulnerabilityID] | join(\" \")" "${trivy_result_file}"
+}
+
+RELEASE_SH="build/make/release.sh"
+
+REGISTRY_URL="registry.cloudogu.com"
+DOGU_JSON_FILE="dogu.json"
+
+CVE_SEVERITY="CRITICAL"
+
+TRIVY_PATH=
+TRIVY_RESULT_FILE=
+TRIVY_CACHE_DIR=
+TRIVY_DOCKER_CACHE_DIR=/tmp/db
+TRIVY_IMAGE_SCAN_FLAGS=
+
+USERNAME=""
+PASSWORD=""
+DRY_RUN=
+
+function runMain() {
+  readCredentialsIfUnset
+  dockerLogin
+
+  mkdir -p "${TRIVY_PATH}" # Cache will not be removed after release. rm requires root because the trivy container only runs with root.
+  pullRemoteImage
+  scanImage
+  local remote_trivy_cve_list
+  remote_trivy_cve_list=$(parseTrivyJsonResult "${CVE_SEVERITY}" "${TRIVY_RESULT_FILE}")
+
+  buildLocalImage
+  scanImage
+  local local_trivy_cve_list
+  local_trivy_cve_list=$(parseTrivyJsonResult "${CVE_SEVERITY}" "${TRIVY_RESULT_FILE}")
+
+  dockerLogout
+
+  local cve_in_local_but_not_in_remote
+  cve_in_local_but_not_in_remote=$(diffArrays "${local_trivy_cve_list}" "${remote_trivy_cve_list}")
+  if [[ -n "${cve_in_local_but_not_in_remote}" ]]; then
+    echo "Abort release. Added new vulnerabilities:"
+    echo "${cve_in_local_but_not_in_remote[@]}"
+    exit 2
+  fi
+
+  local cve_in_remote_but_not_in_local
+  cve_in_remote_but_not_in_local=$(diffArrays "${remote_trivy_cve_list}" "${local_trivy_cve_list}")
+  if [[ -z "${cve_in_remote_but_not_in_local}" ]]; then
+    echo "Abort release. Fixed no new vulnerabilities"
+    exit 3
+  fi
+
+  "${RELEASE_SH}" "dogu-cve-release" "${cve_in_remote_but_not_in_local}" "${DRY_RUN}"
+}
+
+# make the script only runMain when executed, not when sourced from bats tests
+if [[ -n "${BASH_VERSION}" && "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  USERNAME="${1:-""}"
+  PASSWORD="${2:-""}"
+  TRIVY_IMAGE_SCAN_FLAGS="${3:-""}"
+  DRY_RUN="${4:-""}"
+
+  TRIVY_PATH="/tmp/trivy-dogu-cve-release-$(nameFromDogu)"
+  TRIVY_RESULT_FILE="${TRIVY_PATH}/results.json"
+  TRIVY_CACHE_DIR="${TRIVY_PATH}/db"
+  runMain
+fi