-
Notifications
You must be signed in to change notification settings - Fork 321
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Backport of [NET-5932] chore: remove comment from closed ticket into release/1.4.x (#3637) backport of commit a95e951 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of build: Create arm64 packages as well into release/1.4.x (#3647) backport of commit affc631 Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> * Backport of [NET-2420] security: Upgrade helm containerd and several other dependencies into release/1.4.x (#3641) * security: upgrade helm/v3 to 3.11.3 Addresses multiple CVEs: - CVE-2023-25165 - CVE-2022-23524 - CVE-2022-23526 - CVE-2022-23525 * chore: upgrade k8s dependencies to match controller-runtime * security: upgrade containerd to latest Addresses GHSA-7ww5-4wqc-m92c (GO-2023-2412) * security: upgrade docker/docker to latest Addresses GHSA-jq35-85cj-fj4p * security: upgrade docker/distribution to latest Addresses CVE-2023-2253 * security: upgrade filepath-securejoin to latest patch Addresses GHSA-6xv5-86q9-7xr8 (GO-2023-2048) * chore: upgrade oras-go to fix docker incompatibility * Add changelog --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of values.yaml - tlsServerName docs into release/1.4.x (#3667) * backport of commit 1598b40 * backport of commit 41dabc4 --------- Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of [NET-2420] security: re-enable security scan release block into release/1.4.x (#3651) * security: re-enable security scan release block This was previously disabled due to an unresolved false-positive CVE. Re-enabling both secrets and OSV + Go Modules scanning, which per our current scan results should not be a blocker to future releases. Also add security scans on PR and merge to protected branches to allow proactive triage going forward. See hashicorp/consul#19978 for similar change in that repo, adapted here. * security: add scan triage for CVE-2024-25620 (helm/v3) Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported. --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of [NET-6741] make: Add target for updating dependencies across all modules into release/1.4.x (#3673) backport of commit 44583d3 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of build.yml: Add ECR images back into release/1.4.x (#3679) * backport of commit 8fba327 * backport of commit 9a73765 * backport of commit dd2222f --------- Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of build.yml: typo on tags into release/1.4.x (#3684) backport of commit cf8dcbe Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of [NET-8174] security: add scan triage for CVE-2024-26147 (helm/v3) into release/1.4.x (#3692) backport of commit 4b8bc71 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of bump kind to v0.22.0 and update k8s support into release/1.4.x (#3687) * backport of commit 9f495e0 * backport of commit df8edec * backport of commit ca89a82 --------- Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com> --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com>
- Loading branch information
1 parent
7ccd3d3
commit 573bb90
Showing
28 changed files
with
753 additions
and
582 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
```release-note:note | ||
build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the | ||
[Official Packaging Guide](https://www.hashicorp.com/official-packaging-guide) for more information. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
```release-note:security | ||
Upgrade `helm/v3` to 3.11.3. This resolves the following security vulnerabilities: | ||
[CVE-2023-25165](https://osv.dev/vulnerability/CVE-2023-25165) | ||
[CVE-2022-23524](https://osv.dev/vulnerability/CVE-2022-23524) | ||
[CVE-2022-23526](https://osv.dev/vulnerability/CVE-2022-23526) | ||
[CVE-2022-23525](https://osv.dev/vulnerability/CVE-2022-23525) | ||
``` | ||
```release-note:security | ||
security: upgrade containerd to 1.7.13 (latest) to resolve [GHSA-7ww5-4wqc-m92c](https://osv.dev/vulnerability/GO-2023-2412). | ||
``` | ||
```release-note:security | ||
Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve [GHSA-jq35-85cj-fj4p](https://osv.dev/vulnerability/GHSA-jq35-85cj-fj4p). | ||
``` | ||
```release-note:security | ||
Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve [CVE-2023-2253](https://osv.dev/vulnerability/CVE-2023-2253). | ||
``` | ||
```release-note:security | ||
Upgrade filepath-securejoin to 0.2.4 (latest) to resolve [GO-2023-2048](https://osv.dev/vulnerability/GO-2023-2048). | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
control-plane: publish `consul-k8s-control-plane` and `consul-k8s-control-plane-fips` images to official HashiCorp AWS ECR. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
helm: Kubernetes v1.29 is now supported. Minimum tested version of Kubernetes is now v1.26. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
name: get-go-version | ||
|
||
on: | ||
workflow_call: | ||
outputs: | ||
go-version: | ||
description: "The Go version detected by this workflow" | ||
value: ${{ jobs.get-go-version.outputs.go-version }} | ||
|
||
jobs: | ||
get-go-version: | ||
name: "Determine Go toolchain version" | ||
runs-on: ubuntu-latest | ||
outputs: | ||
go-version: ${{ steps.get-go-version.outputs.go-version }} | ||
steps: | ||
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
- name: Determine Go version | ||
id: get-go-version | ||
# We use .go-version as our source of truth for current Go | ||
# version, because "goenv" can react to it automatically. | ||
# | ||
# In the future, we can transition from .go-version and goenv to | ||
# Go 1.21 `toolchain` directives by updating this workflow rather | ||
# than individually setting `go-version-file` in each `setup-go` | ||
# job (as of 2024-01-03, `setup-go` does not support `toolchain`). | ||
run: | | ||
GO_VERSION=$(head -n 1 .go-version) | ||
echo "Building with Go ${GO_VERSION}" | ||
echo "go-version=${GO_VERSION}" >> $GITHUB_OUTPUT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
name: Security Scan | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
- release/** | ||
pull_request: | ||
branches: | ||
- main | ||
- release/** | ||
|
||
# cancel existing runs of the same workflow on the same ref | ||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
get-go-version: | ||
uses: ./.github/workflows/reusable-get-go-version.yml | ||
|
||
scan: | ||
needs: | ||
- get-go-version | ||
runs-on: ubuntu-latest | ||
# The first check ensures this doesn't run on community-contributed PRs, who | ||
# won't have the permissions to run this job. | ||
if: ${{ (github.repository != 'hashicorp/consul-k8s' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) | ||
&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }} | ||
|
||
steps: | ||
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
|
||
- name: Set up Go | ||
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | ||
with: | ||
go-version: ${{ needs.get-go-version.outputs.go-version }} | ||
|
||
- name: Clone Security Scanner repo | ||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
with: | ||
repository: hashicorp/security-scanner | ||
#TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned | ||
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | ||
path: security-scanner | ||
ref: main | ||
|
||
- name: Scan | ||
id: scan | ||
uses: ./security-scanner | ||
with: | ||
repository: "$PWD" | ||
# See scan.hcl at repository root for config. | ||
|
||
- name: SARIF Output | ||
shell: bash | ||
run: | | ||
cat results.sarif | jq | ||
- name: Upload SARIF file | ||
uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5 | ||
with: | ||
sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,42 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: MPL-2.0 | ||
|
||
# These scan results are run as part of CRT workflows. | ||
|
||
# Un-triaged results will block release. See `security-scanner` docs for more | ||
# information on how to add `triage` config to unblock releases for specific results. | ||
# In most cases, we should not need to disable the entire scanner to unblock a release. | ||
|
||
# To run manually, install scanner and then from the repository root run | ||
# `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...` | ||
# To scan a local container, add `local_daemon = true` to the `container` block below. | ||
# See `security-scanner` docs or run with `--help` for scan target syntax. | ||
|
||
container { | ||
dependencies = true | ||
alpine_secdb = true | ||
secrets = true | ||
dependencies = true | ||
alpine_secdb = true | ||
|
||
secrets { | ||
all = true | ||
} | ||
} | ||
|
||
binary { | ||
secrets = true | ||
go_modules = false | ||
osv = true | ||
oss_index = false | ||
nvd = false | ||
} | ||
go_modules = true | ||
osv = true | ||
|
||
secrets { | ||
all = true | ||
} | ||
|
||
triage { | ||
suppress { | ||
vulnerabilites = [ | ||
# NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) | ||
"GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 | ||
# NET-8174 (2024-02-26): Missing YAML Content Leads To Panic (requires malicious plugin) | ||
"GHSA-r53h-jv2g-vpx6", # alias CVE-2024-26147 | ||
] | ||
} | ||
} | ||
} |
Oops, something went wrong.