Large batch dependency update (#415)

Updated operator-framework, k8s, controller-runtime, gke-managed-certs, golang, builder ubuntu images and so many other transitive things. Got rid of bundles and switched to an unified install.yaml (pretty much same as the old operator.yaml)

---------

Co-authored-by: sroettger <[email protected]>

Author: implr

.github/workflows/update-images.yaml

@@ -19,7 +19,7 @@ env:
 
 jobs:
   build-docker:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: github.event_name == 'push'
     outputs:
       challenge-modified: ${{ steps.set-modified.outputs.challenge-modified }}
@@ -34,7 +34,7 @@ jobs:
       matrix:
         image: ["challenge", "healthcheck", "gcsfuse", "certbot"]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
           fetch-depth: 0
 
@@ -78,20 +78,20 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
-        python-version: '3.7'
+        python-version: '3.13.2'
 
     - name: 'Set up Cloud SDK auth'
-      uses: 'google-github-actions/auth@v0'
+      uses: 'google-github-actions/auth@v1'
       with:
         # not using workload identity because we use gsutil
         # TODO(evn) switch when supported
         # https://github.com/google-github-actions/setup-gcloud#authorization
         credentials_json: '${{ secrets.GKE_KEY }}'
 
     - name: 'Set up Cloud SDK'
-      uses: 'google-github-actions/setup-gcloud@v0'
+      uses: 'google-github-actions/setup-gcloud@v2'
       with:
-        version: '319.0.0'
+        version: '516.0.0'
         service_account_email: ${{ secrets.GKE_EMAIL }}
 
     - name: Configure docker to use the gcloud command-line tool as a credential helper
@@ -109,7 +109,7 @@ jobs:
         echo "::set-output name=${{ matrix.image }}-digest::${DIGEST}"
 
   build-operator:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs:
     - build-docker
     if: github.event_name == 'push'
@@ -162,15 +162,15 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
-        python-version: '3.7'
+        python-version: '3.13.2'
 
     - name: Export gcloud related env variable
       run: export CLOUDSDK_PYTHON="/usr/bin/python3"
 
     - name: 'Set up Cloud SDK'
-      uses: 'google-github-actions/setup-gcloud@v0'
+      uses: 'google-github-actions/setup-gcloud@v2'
       with:
-        version: '319.0.0'
+        version: '516.0.0'
         service_account_email: ${{ secrets.GKE_EMAIL }}
 
     - name: Configure docker to use the gcloud command-line tool as a credential helper
@@ -179,19 +179,23 @@ jobs:
         gcloud auth configure-docker
 
     - name: 'Setup go version necessary for operator'
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
-        go-version: '1.16.0'
+        go-version: '1.24.1'
 
     - name: Build image
       if: steps.modified.outputs.modified
       run: |
+        curl -L https://storage.googleapis.com/etcd/v3.5.19/etcd-v3.5.19-linux-amd64.tar.gz -o /tmp/etcd.tar.gz
+        sudo tar xzvf /tmp/etcd.tar.gz -C /usr/local/bin/ --strip-components=1
         cd kctf-operator
-        curl -L https://github.com/operator-framework/operator-sdk/releases/download/v1.15.0/operator-sdk_linux_amd64 -o operator-sdk
+        curl -L https://github.com/operator-framework/operator-sdk/releases/download/v1.36.0/operator-sdk_linux_amd64 -o operator-sdk
         chmod u+x operator-sdk
         sudo mv operator-sdk /usr/local/bin/
-        make controller-gen
-        make manifests docker-build IMG=kctf-operator
+        make test
+        make docker-build IMG=kctf-operator
+        make build-installer IMG=kctf-operator
+        mv dist/install.yaml ../dist/resources/install.yaml
 
     - id: push
       name: Push images
@@ -203,7 +207,9 @@ jobs:
         echo "::set-output name=kctf-operator-digest::${DIGEST}"
 
   update-image-and-commit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     needs:
     - build-docker
     - build-operator
@@ -246,7 +252,7 @@ jobs:
       if: needs.build-operator.outputs.kctf-operator-modified
       run: |
         IMAGE="gcr.io/${{ secrets.GCR_PROJECT }}/kctf-operator@${{ needs.build-operator.outputs.kctf-operator-digest }}"
-        sed -i "s#image: .*kctf-operator.*#image: ${IMAGE}#" dist/resources/operator.yaml
+        sed -i "s#image: .*kctf-operator.*#image: ${IMAGE}#" dist/resources/install.yaml
 
     - name: Download kubectl
       run: |
@@ -257,7 +263,7 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
-        python-version: '3.7'
+        python-version: '3.13.2'
 
     - name: Export gcloud related env variable
       run: export CLOUDSDK_PYTHON="/usr/bin/python3"
@@ -271,7 +277,7 @@ jobs:
         credentials_json: '${{ secrets.GKE_KEY }}'
 
     - name: 'Set up Cloud SDK'
-      uses: 'google-github-actions/setup-gcloud@v0'
+      uses: 'google-github-actions/setup-gcloud@v2'
       with:
         service_account_email: ${{ secrets.GKE_EMAIL }}
         install_components: 'gke-gcloud-auth-plugin'
@@ -334,9 +340,8 @@ jobs:
       run: |
         # git add returns success for files that exist and haven't been modified
         git add kctf-operator/resources/constants.go
-        git add dist/resources/operator.yaml
+        git add dist/resources/install.yaml
         git add kctf-operator/config/crd/bases/kctf.dev_challenges.yaml
-        git add dist/resources/kctf.dev_challenges.yaml
         for dir in dist/challenge-templates/* samples/*; do
           if [[ ! -e "${dir}/challenge.yaml" ]]; then
             continue

dist/activate

@@ -19,8 +19,8 @@ if [[ "$OSTYPE" =~ ^darwin.* ]]; then
   KCTF_KIND_URL="https://kind.sigs.k8s.io/dl/v0.11.1/kind-darwin-amd64"
   KCTF_KIND_HASH="432bef555a70e9360b44661c759658265b9eaaf7f75f1beec4c4d1e6bbf97ce3"
 
-  KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.20.4/bin/darwin/amd64/kubectl"
-  KCTF_KUBECTL_HASH="37f593731b8c9913bf2a3bfa36dacb3058dc176c7aeae2930c783822ea03a573"
+  KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.29.3/bin/darwin/amd64/kubectl"
+  KCTF_KUBECTL_HASH="1a1f9040bce74fb28c475dc157a86565fcabf883a697ca576993ab8372935836"
 
   STAT="gstat"
   MKTEMP="gmktemp"
@@ -38,8 +38,8 @@ else
   KCTF_KIND_URL="https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64"
   KCTF_KIND_HASH="949f81b3c30ca03a3d4effdecda04f100fa3edc07a28b19400f72ede7c5f0491"
 
-  KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.20.4/bin/linux/amd64/kubectl"
-  KCTF_KUBECTL_HASH="98e8aea149b00f653beeb53d4bd27edda9e73b48fed156c4a0aa1dabe4b1794c"
+  KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.29.3/bin/linux/amd64/kubectl"
+  KCTF_KUBECTL_HASH="89c0435cec75278f84b62b848b8c0d3e15897d6947b6c59a49ddccd93d7312bf"
 
   STAT="stat"
   MKTEMP="mktemp"

dist/bin/kctf-cluster

@@ -393,24 +393,24 @@ function kctf_cluster_ip_ranges {
   set_cloud_armor_policy "${RANGES}" || return
 
   # stop the operator
-  "${KCTF_BIN}/yq" eval "select(.kind == \"Deployment\")" "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" \
+  "${KCTF_BIN}/yq" eval "select(.kind == \"Deployment\")" "${KCTF_CTF_DIR}/kctf/resources/install.yaml" \
     | "${KCTF_BIN}/kubectl" delete -f - || return
 
   start_operator_gce || return
 }
 
 function start_operator_gce {
   if [[ "${DISABLE_SRC_RANGES}" == "1" ]]; then
-     "${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" || return
+     "${KCTF_BIN}/kubectl" apply --server-side -f "${KCTF_CTF_DIR}/kctf/resources/install.yaml" || return
   else
     get_cloud_armor_policy || return
     RANGES=$ret
     SUFFIX=$(echo "${PROJECT}-${CLUSTER_NAME}-${ZONE}" | sha1sum)
     POLICY_NAME="kctf-policy-${SUFFIX:0:16}"
     # restart the operator with the new range
-    "${KCTF_BIN}/yq" eval "(select(.kind == \"Deployment\").spec.template.spec.containers[] | select(.name == \"manager\").env[] | select(.name == \"ALLOWED_IPS\").value) |= \"${RANGES}\"" "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" \
+    "${KCTF_BIN}/yq" eval "(select(.kind == \"Deployment\").spec.template.spec.containers[] | select(.name == \"manager\").env[] | select(.name == \"ALLOWED_IPS\").value) |= \"${RANGES}\"" "${KCTF_CTF_DIR}/kctf/resources/install.yaml" \
       | "${KCTF_BIN}/yq" eval "(select(.kind == \"Deployment\").spec.template.spec.containers[] | select(.name == \"manager\").env[] | select(.name == \"SECURITY_POLICY\").value) |= \"${POLICY_NAME}\"" - \
-      | "${KCTF_BIN}/kubectl" apply -f - || return
+      | "${KCTF_BIN}/kubectl" apply --server-side -f - || return
   fi
 }
 
@@ -441,17 +441,13 @@ function create_cloud_armor_policy {
 }
 
 function create_operator {
-  # Creating CRD, rbac and operator
-  "${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf.dev_challenges.yaml" || return
-  "${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml" || return
-  "${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf-operator-manager-config_v1_configmap.yaml" || return
-  "${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf-operator-controller-manager-metrics-service_v1_service.yaml" || return
+  # install.yaml is an unified file for creating CRD, rbac and operator
   if [[ "$CLUSTER_TYPE" == "gce" ]]; then
     start_operator_gce || return
   else
-    "${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" || return
+    "${KCTF_BIN}/kubectl" apply --server-side -f "${KCTF_CTF_DIR}/kctf/resources/install.yaml" || return
   fi
-  OPERATOR_IMAGE=$("${KCTF_BIN}/yq" eval '.spec.template.spec.containers[].image | select(.=="*kctf-operator*")' "${KCTF_CTF_DIR}/kctf/resources/operator.yaml")
+  OPERATOR_IMAGE=$("${KCTF_BIN}/yq" eval '.spec.template.spec.containers[].image | select(.=="*kctf-operator*")' "${KCTF_CTF_DIR}/kctf/resources/install.yaml")
   if [[ $? -ne 0 ]]; then
     echo "Failed to find the operator image." >&2
     return 1

dist/challenge-templates/pwn/challenge/Dockerfile

@@ -13,12 +13,13 @@
 # limitations under the License.
 FROM ubuntu:24.04 as chroot
 
-RUN /usr/sbin/useradd --no-create-home -u 1000 user
+# ubuntu24 includes the ubuntu user by default
+RUN /usr/sbin/userdel -r ubuntu && /usr/sbin/useradd --no-create-home -u 1000 user
 
 COPY flag /
 COPY chal /home/user/
 
-FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28
+FROM gcr.io/kctf-docker/challenge@sha256:2008bc49ea75d2e4be6dd71b09e51b2405517fdde7318245436ca36f8402d3e6
 
 COPY --from=chroot / /chroot
 

dist/challenge-templates/pwn/healthcheck/Dockerfile

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM gcr.io/kctf-docker/healthcheck@sha256:35a21466f658914ad33b700c2b1c938ed6ec739ecf73c8766ab565509d203660
+FROM gcr.io/kctf-docker/healthcheck@sha256:7534eb90c4c21270f42c691e6ee211cc55188b2d3526051a9db8922a557ea3fa
 
 COPY healthcheck_loop.sh healthcheck.py healthz_webserver.py /home/user/
 

dist/challenge-templates/web/challenge/Dockerfile

@@ -13,17 +13,16 @@
 # limitations under the License.
 FROM ubuntu:24.04 as chroot
 
-RUN /usr/sbin/useradd -u 1000 user
+# ubuntu24 includes the ubuntu user by default
+RUN /usr/sbin/userdel -r ubuntu && /usr/sbin/useradd --no-create-home -u 1000 user
 
 RUN apt-get update \
     && apt-get install -yq --no-install-recommends \
        curl ca-certificates socat gnupg lsb-release software-properties-common php-cgi \
     && rm -rf /var/lib/apt/lists/*
 
-RUN curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
-    && (echo "deb https://deb.nodesource.com/node_10.x $(lsb_release -s -c) main";\
-        echo "deb-src https://deb.nodesource.com/node_10.x $(lsb_release -s -c) main") \
-       > /etc/apt/sources.list.d/nodesource.list \
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh \
+    && bash nodesource_setup.sh \
     && add-apt-repository universe \
     && apt-get update \
     && apt-get install -yq --no-install-recommends nodejs socat \
@@ -40,7 +39,7 @@ COPY web-servers /web-servers
 
 COPY flag /
 
-FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28
+FROM gcr.io/kctf-docker/challenge@sha256:2008bc49ea75d2e4be6dd71b09e51b2405517fdde7318245436ca36f8402d3e6
 
 RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends tzdata apache2 \

dist/challenge-templates/web/healthcheck/Dockerfile

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM gcr.io/kctf-docker/healthcheck@sha256:35a21466f658914ad33b700c2b1c938ed6ec739ecf73c8766ab565509d203660
+FROM gcr.io/kctf-docker/healthcheck@sha256:7534eb90c4c21270f42c691e6ee211cc55188b2d3526051a9db8922a557ea3fa
 
 COPY healthcheck_loop.sh healthcheck.py healthz_webserver.py /home/user/
 

dist/challenge-templates/xss-bot/challenge/Dockerfile

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28
+FROM gcr.io/kctf-docker/challenge@sha256:2008bc49ea75d2e4be6dd71b09e51b2405517fdde7318245436ca36f8402d3e6
 
 RUN apt-get update && apt-get install -y gnupg2 wget
 
@@ -21,13 +21,13 @@ RUN apt-get update && apt-get install -y gnupg2 wget
 #  plus libxshmfence1 which seems to be missing
 RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
     && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
-    && wget -q -O - https://deb.nodesource.com/setup_16.x | bash - \
+    && wget -q -O - https://deb.nodesource.com/setup_20.x | bash - \
     && apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
         ca-certificates \
         fonts-liberation \
         libappindicator3-1 \
-        libasound2 \
+        libasound2t64 \
         libatk-bridge2.0-0 \
         libatk1.0-0 \
         libc6 \

dist/challenge-templates/xss-bot/challenge/bot.js

@@ -29,6 +29,7 @@ if (BLOCK_SUBORIGINS) {
     '--proxy-pac-url=data:application/x-ns-proxy-autoconfig;base64,'+PAC_B64,
   ];
 }
+puppeter_args.args.push('--incognito');
 
 (async function(){
   const browser = await puppeteer.launch(puppeter_args);
@@ -50,7 +51,7 @@ if (BLOCK_SUBORIGINS) {
     socket.state = 'LOADED';
     let cookie = JSON.parse(fs.readFileSync('/home/user/cookie'));
 
-    const context = await browser.createIncognitoBrowserContext();
+    const context = await browser.createBrowserContext();
     const page = await context.newPage();
     await page.setCookie(cookie);
     socket.write(`Loading page ${url}.\n`);

dist/challenge-templates/xss-bot/healthcheck/Dockerfile

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM gcr.io/kctf-docker/healthcheck@sha256:35a21466f658914ad33b700c2b1c938ed6ec739ecf73c8766ab565509d203660
+FROM gcr.io/kctf-docker/healthcheck@sha256:7534eb90c4c21270f42c691e6ee211cc55188b2d3526051a9db8922a557ea3fa
 
 COPY healthcheck_loop.sh healthcheck.py healthz_webserver.py /home/user/