-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Luigi security fixes : Update to alpine3.18 and go1.21 and fix Trivy vulns #133
Conversation
94f40d7
to
d2d121e
Compare
* Update github actions and golang image to golang:1.21-alpine3.18 * Use go 1.21 in Dockerfiles * Remove failing 60s timeout from Ginkgo BeforeSuite
107d808
to
e47755b
Compare
To generate coverage reports with
|
Do we need to bump versions of Luigi / Luigi addons with this change? There is no change in functionality. However, the container images are now alpine based and the following can get a new version: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should bump up the version of Luigi. The underlying OS has changed, and a lot of the go module dependencies have been upgraded.
Talked to @joey00072 about the branching. We are not using a 0.5 branch - will create a new 0.5.4 branch and push these updates there. (will require a new build of addon-operator and a new pf9-kube build with updated version of Luigi) |
This is for better maintainability, not just security
Trivy scan on the branch :
Fixes all 33 vulnerabilities reported by Grype scan in https://github.com/platform9/luigi/security/code-scanning
This was blocked on many previous attempts. Got a few things right this time.
Updating controller runtime results in updating k8s* modules. That was breaking the tests though since the tests used an obsolete ginkgo v1 reporter and an old k8s object (from
envtest/printer
) that has been removed / deprecated in new versionsHad to update test suites to import and use
ginkgo/v2