Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Luigi security fixes : Update to alpine3.18 and go1.21 and fix Trivy vulns #133

Merged
merged 2 commits into from
Feb 27, 2024
Merged

Luigi security fixes : Update to alpine3.18 and go1.21 and fix Trivy vulns #133

merged 2 commits into from
Feb 27, 2024

Conversation

cruizen
Copy link
Contributor

@cruizen cruizen commented Feb 22, 2024
edited
Loading

This is for better maintainability, not just security

  • Also updates the docker images and GitHub workflow CI actions to use go 1.21 and Alpine 3.18 (smaller images)

Trivy scan on the branch :

[centos@test-pf9-du-host-airgap-c7-3146480-540 luigi]$ trivy fs . --scanners vuln
2024-02-22T21:51:28.051Z	INFO	Vulnerability scanning is enabled
2024-02-22T21:51:29.606Z	INFO	Number of language-specific files: 7
2024-02-22T21:51:29.606Z	INFO	Detecting gomod vulnerabilities...
[centos@test-pf9-du-host-airgap-c7-3146480-540 luigi]$

Fixes all 33 vulnerabilities reported by Grype scan in https://github.com/platform9/luigi/security/code-scanning

This was blocked on many previous attempts. Got a few things right this time.

Updating controller runtime results in updating k8s* modules. That was breaking the tests though since the tests used an obsolete ginkgo v1 reporter and an old k8s object (from envtest/printer) that has been removed / deprecated in new versions

Had to update test suites to import and use ginkgo/v2

@cruizen cruizen force-pushed the private/atherton/trilok/alpine3.18-go1.21 branch from 94f40d7 to d2d121e Compare February 22, 2024 21:53
@cruizen
* Update dependencies to fix vulns reported by Trivy
e47755b 
* Update github actions and golang image to golang:1.21-alpine3.18
* Use go 1.21 in Dockerfiles
* Remove failing 60s timeout from Ginkgo BeforeSuite
@cruizen cruizen force-pushed the private/atherton/trilok/alpine3.18-go1.21 branch from 107d808 to e47755b Compare February 22, 2024 22:20
@cruizen
Copy link
Contributor Author

cruizen commented Feb 22, 2024

To generate coverage reports with codecov, codecov token needs to be populated as a repo secret in GitHub. This can be done once the admin approves codecov app.

info - 2024-02-22 22:34:23,202 -- ci service found: github-actions
warning - 2024-02-22 22:34:23,204 -- No config file could be found. Ignoring config.
Error: Codecov token not found. Please provide Codecov token with -t flag.
Warning: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov' failed with exit code 1

@cruizen
Copy link
Contributor Author

cruizen commented Feb 23, 2024
edited
Loading

Do we need to bump versions of Luigi / Luigi addons with this change?

There is no change in functionality. However, the container images are now alpine based and the following can get a new version:
https://github.com/platform9/airctl/blob/atherton/conf/pmk_cluster_img_list.json#L61

mithilarun
mithilarun approved these changes Feb 23, 2024
View reviewed changes
Copy link
Member

@mithilarun mithilarun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should bump up the version of Luigi. The underlying OS has changed, and a lot of the go module dependencies have been upgraded.

@cruizen
Copy link
Contributor Author

cruizen commented Feb 27, 2024

Talked to @joey00072 about the branching. We are not using a 0.5 branch - will create a new 0.5.4 branch and push these updates there. (will require a new build of addon-operator and a new pf9-kube build with updated version of Luigi)

@cruizen cruizen merged commit 2d00cd7 into master Feb 27, 2024
6 checks passed
@cruizen cruizen deleted the private/atherton/trilok/alpine3.18-go1.21 branch February 27, 2024 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mithilarun mithilarun mithilarun approved these changes

@joey00072 joey00072 joey00072 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cruizen @mithilarun @joey00072