Skip to content

Commit

Permalink
fix: address CVE-2023-39325 (#1022)
Browse files Browse the repository at this point in the history 
*address CVE-2023-39325
- upgrade to golang v1.20.10 
- disable http/2 for webhook and metrics server, use http/1.1 by default but make it a configurable flag
- upgarde k8s library packages to v0.28.3
- Add new structs for keycloak API that were previously part of the (now deprecated) keycloak-operator repo 
- upgrade to controller-runtime to v0.16.3
- refactor all unit tests 

---------

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
  • Loading branch information
@jaideepr97
jaideepr97 committed Oct 26, 2023
1 parent 5a2e6c4 commit c8e4909
Show file tree
Hide file tree
Showing 48 changed files with 8,992 additions and 4,032 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ci-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.19
go-version: '1.20'

- name: Restore go build cache
uses: actions/cache@v1
Expand Down Expand Up @@ -75,7 +75,7 @@ jobs:
- name: Setup Golang
uses: actions/setup-go@v1
with:
go-version: 1.19
go-version: '1.20'
- name: GH actions workaround - Kill XSP4 process
run: |
sudo pkill mono || true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codegen.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
- 'master'
env:
# Golang version to use
GOLANG_VERSION: 1.19
GOLANG_VERSION: '1.20'
# Version of operator-sdk binary
SDK_VERSION: 1.11.0
# Checksum of operator-sdk binary
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/go.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.19
go-version: '1.20'

- name: Build
run: make build
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.19
go-version: '1.20'

- name: Restore go build cache
uses: actions/cache@v1
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Build the manager binary
FROM golang:1.19 as builder
FROM golang:1.20 as builder

WORKDIR /workspace
# Copy the Go Modules manifests
Expand Down
100 changes: 71 additions & 29 deletions bundle/manifests/argoproj.io_argocdexports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,20 +54,23 @@ spec:
description: PVC is the desired characteristics for a PersistentVolumeClaim.
properties:
accessModes:
description: 'AccessModes contains the desired access modes
description: 'accessModes contains the desired access modes
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
items:
type: string
type: array
dataSource:
description: 'This field can be used to specify either: *
An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
description: 'dataSource field can be used to specify either:
* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim) If the provisioner
or an external controller can support the specified data
source, it will create a new volume based on the contents
of the specified data source. If the AnyVolumeDataSource
feature gate is enabled, this field will always have the
same contents as the DataSourceRef field.'
of the specified data source. When the AnyVolumeDataSource
feature gate is enabled, dataSource contents will be copied
to dataSourceRef, and dataSourceRef contents will be copied
to dataSource when dataSourceRef.namespace is not specified.
If the namespace is specified, then dataSourceRef will not
be copied to dataSource.'
properties:
apiGroup:
description: APIGroup is the group for the resource being
Expand All @@ -86,26 +89,32 @@ spec:
- name
type: object
dataSourceRef:
description: 'Specifies the object from which to populate
the volume with data, if a non-empty volume is desired.
This may be any local object from a non-empty API group
(non core object) or a PersistentVolumeClaim object. When
this field is specified, volume binding will only succeed
description: 'dataSourceRef specifies the object from which
to populate the volume with data, if a non-empty volume
is desired. This may be any object from a non-empty API
group (non core object) or a PersistentVolumeClaim object.
When this field is specified, volume binding will only succeed
if the type of the specified object matches some installed
volume populator or dynamic provisioner. This field will
replace the functionality of the DataSource field and as
replace the functionality of the dataSource field and as
such if both fields are non-empty, they must have the same
value. For backwards compatibility, both fields (DataSource
and DataSourceRef) will be set to the same value automatically
if one of them is empty and the other is non-empty. There
are two important differences between DataSource and DataSourceRef:
* While DataSource only allows two specific types of objects,
DataSourceRef allows any non-core object, as well as PersistentVolumeClaim
objects. * While DataSource ignores disallowed values (dropping
them), DataSourceRef preserves all values, and generates
an error if a disallowed value is specified. (Alpha) Using
this field requires the AnyVolumeDataSource feature gate
to be enabled.'
value. For backwards compatibility, when namespace isn''t
specified in dataSourceRef, both fields (dataSource and
dataSourceRef) will be set to the same value automatically
if one of them is empty and the other is non-empty. When
namespace is specified in dataSourceRef, dataSource isn''t
set to the same value and must be empty. There are three
important differences between dataSource and dataSourceRef:
* While dataSource only allows two specific types of objects,
dataSourceRef allows any non-core object, as well as PersistentVolumeClaim
objects. * While dataSource ignores disallowed values (dropping
them), dataSourceRef preserves all values, and generates
an error if a disallowed value is specified. * While dataSource
only allows local objects, dataSourceRef allows objects in
any namespaces. (Beta) Using this field requires the AnyVolumeDataSource
feature gate to be enabled. (Alpha) Using the namespace
field of dataSourceRef requires the CrossNamespaceVolumeDataSource
feature gate to be enabled.'
properties:
apiGroup:
description: APIGroup is the group for the resource being
Expand All @@ -119,18 +128,50 @@ spec:
name:
description: Name is the name of resource being referenced
type: string
namespace:
description: Namespace is the namespace of resource being
referenced Note that when a namespace is specified,
a gateway.networking.k8s.io/ReferenceGrant object is
required in the referent namespace to allow that namespace's
owner to accept the reference. See the ReferenceGrant
documentation for details. (Alpha) This field requires
the CrossNamespaceVolumeDataSource feature gate to be
enabled.
type: string
required:
- kind
- name
type: object
resources:
description: 'Resources represents the minimum resources the
description: 'resources represents the minimum resources the
volume should have. If RecoverVolumeExpansionFailure feature
is enabled users are allowed to specify resource requirements
that are lower than previous value but must still be higher
than capacity recorded in the status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties:
claims:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate. \n This field
is immutable. It can only be set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry
in pod.spec.resourceClaims of the Pod where this
field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
Expand All @@ -152,11 +193,12 @@ spec:
compute resources required. If Requests is omitted for
a container, it defaults to Limits if that is explicitly
specified, otherwise to an implementation-defined value.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
selector:
description: A label query over volumes to consider for binding.
description: selector is a label query over volumes to consider
for binding.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
Expand Down Expand Up @@ -201,16 +243,16 @@ spec:
type: object
type: object
storageClassName:
description: 'Name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
description: 'storageClassName is the name of the StorageClass
required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
type: string
volumeMode:
description: volumeMode defines what type of volume is required
by the claim. Value of Filesystem is implied when not included
in claim spec.
type: string
volumeName:
description: VolumeName is the binding reference to the PersistentVolume
description: volumeName is the binding reference to the PersistentVolume
backing this claim.
type: string
type: object
Expand Down
Loading

0 comments on commit c8e4909

Please sign in to comment.