Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-0.19] Backporting dependency bumps to fix vulnerabilities #8118

Merged
merged 8 commits into from
May 8, 2024
Merged

[release-0.19] Backporting dependency bumps to fix vulnerabilities #8118

merged 8 commits into from
May 8, 2024

Conversation

cxbrowne1207
Copy link
Member

@cxbrowne1207 cxbrowne1207 commented May 8, 2024
edited
Loading

Issue #, if available:

Description of changes:
This PR fixes the vulnerability against the release-0.19 branch: https://github.com/aws/eks-anywhere/actions/runs/8919770915/job/24496803340

We disabled the vulnerability scan for some time, but after we re-enabled we’ve seen the scan identify more issues. One of the dependencies we need to bump to a good version to pass the scan is helm. But it requires a few cascading changes as well we have to upgrade. Most notably controller-runtime, which also requires upgrading:

The helm vulnerability was only moderate in severity.

If we do this upgrade, we would have to watch the next patch release closely for failures with such a massive change (and possibly rollback or back-port other fixes that have been made to main). I did run these changes against the release-0.19 branch and the quick-e2e, but without running haven’t tested against the full suite. If we don’t do these bumps, the vulnerability checks against the release branch will not pass.
I think if we don’t, we should consider disabling checks on the release branches entirely, but this comes with the risk of not being alerted to necessary CVE fixes that could affect these branches. Additionally, addressing these issues as they come up could lead to complex changes when there does need to be a fix that needs backported.

The PR manually cherry picks of the following PRs:
Bump controller-runtime to v0.16.5: #7788
Bump helm to v3.14.2: #7797
Bump x/net: #7945
Bump Go version to 1.21: #7805
Bump helm from 3.14.2 to 3.14.4: #8119

Testing (if applicable):
Ran changes against quick E2E tests on the release branch.

Documentation added/planned (if applicable):

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

g-gaston and others added 3 commits May 8, 2024 15:19
@g-gaston @cxbrowne1207
Bump controller-runtime to v0.16.5 (aws#7788)
f05d6b9 
`controller-runtime` v0.16.5

- Fake client breaking changes:
  - Start using `WithStatusSubresource` when we care about status being
    treated differently through `Update` calls. This is basically all
    controllers.
  - Add a finalizer when creating an object directly with a deletion
    timestamp. This make sense since any controller interested in the
    delete flow should be already adding finalizers.
- Signature of `Watches` for creating a controller has been simplified
  and doesn't need the `source.Kind` wrapper.
- Manager options signature has changed. Now metrics and webhook fields
  are nested in its own second level struct.
- Validation webhooks now return a `(admission.Warnings, error)` instead
  of just `error`. We are not using this functionality for now, but we
  had to update all our webhooks and test to follow the new signature.
- `handler.MapFunc` has changed, now they take a context as well. We
  don't use the context but need to conform to the new signature.

`cluster-api` v1.6.2

- When setting up cluster tracker, the variable `DefaultIndexes` is
  removed, now we use `[]Index{NodeProviderIDIndex}`

CAPC

We are still waiting for capc to be updated to capi v1.5, which would
enable us to move to controller-runtime v0.15. It's taking quite long
and we got to the point where this is preventing us from updating
moduled (like helm) that we need to update ASAP.

I opted for "vendoring" just the api structs we need from capc. In order
to contain changes and allow for an easy "revert" to use the original
module (whenever we can), I created a dummy module so I can just use a
`replace` in our go.mod and point to our vendored folder.

I put this in `internal/thirdparty/capc`. You don't need to review that
code, I just copied it.

Assertions in gomock

I had to change some of the assertions in the cluster manager tests. Now
they are less strict since they use type instead of content assertion.
TBH, they were wrong from the beginning since they expected current and
new spec to be the same, so if so, this makes the test slightly better.

I checked and I believe all this is already dead code because of the
workflow refactors we did in v0.19.0. It's just that the code hasn't
been deleted yet. I'll push to get all this crap removed.

CAPV

They just change the package where they have the api structs from
`api/[version]` to `apis/[version]`.
@g-gaston @cxbrowne1207
Bump helm to v3.14.2 (aws#7797)
24923c4 
bump helm and controller runtime
@d8660091 @cxbrowne1207
Bump x/net (aws#7945)
090c222 
bump net/x to fix vulnerability
@cxbrowne1207 cxbrowne1207 changed the title Bump helm, controller-runtime and x/net to fix vulnerabilities [release-0.19] Bump helm, controller-runtime and x/net to fix vulnerabilities May 8, 2024
@eks-distro-bot eks-distro-bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 8, 2024
@codecov Codecov
Copy link

codecov bot commented May 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 76.34409% with 44 lines in your changes are missing coverage. Please review.

❗ No coverage uploaded for pull request base (release-0.19@9bd3b91). Click here to learn what that means.

Files Patch % Lines
pkg/api/v1alpha1/gitopsconfig_webhook.go 25.00% 6 Missing ⚠️
...api/v1alpha1/cloudstackdatacenterconfig_webhook.go 50.00% 5 Missing ⚠️
pkg/api/v1alpha1/fluxconfig_webhook.go 44.44% 5 Missing ⚠️
pkg/api/v1alpha1/oidcconfig_webhook.go 60.00% 4 Missing ⚠️
...kg/api/v1alpha1/tinkerbellmachineconfig_webhook.go 63.63% 4 Missing ⚠️
pkg/api/v1alpha1/awsiamconfig_webhook.go 62.50% 3 Missing ⚠️
...kg/api/v1alpha1/cloudstackmachineconfig_webhook.go 76.92% 3 Missing ⚠️
...kg/api/v1alpha1/vspheredatacenterconfig_webhook.go 75.00% 3 Missing ⚠️
pkg/api/v1alpha1/vspheremachineconfig_webhook.go 76.92% 3 Missing ⚠️
pkg/api/v1alpha1/cluster_webhook.go 87.50% 2 Missing ⚠️
... and 4 more
Additional details and impacted files 
@@               Coverage Diff               @@
##             release-0.19    #8118   +/-   ##
===============================================
  Coverage                ?   73.47%           
===============================================
  Files                   ?      588           
  Lines                   ?    37187           
  Branches                ?        0           
===============================================
  Hits                    ?    27322           
  Misses                  ?     8069           
  Partials                ?     1796

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cxbrowne1207 cxbrowne1207 changed the title [release-0.19] Bump helm, controller-runtime and x/net to fix vulnerabilities [release-0.19] Backporting dependency bumps to fix vulnerabilities May 8, 2024
@cxbrowne1207 cxbrowne1207 force-pushed the fix-vuln-bump-helm-and-controller-runtime branch from 3030c85 to 5d80e1b Compare May 8, 2024 16:48
@cxbrowne1207 cxbrowne1207 force-pushed the fix-vuln-bump-helm-and-controller-runtime branch 5 times, most recently from 4e30a79 to 32b2a83 Compare May 8, 2024 18:10
@cxbrowne1207 cxbrowne1207 force-pushed the fix-vuln-bump-helm-and-controller-runtime branch from 32b2a83 to 20a19b0 Compare May 8, 2024 18:22
@d8660091
Copy link
Member

d8660091 commented May 8, 2024

/lgtm

@cxbrowne1207
Copy link
Member Author

/approve

@eks-distro-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cxbrowne1207

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cxbrowne1207
Copy link
Member Author

Code patch is failing, but all the changes here are simply backports.

Manually merging

@cxbrowne1207 cxbrowne1207 merged commit f34868b into aws:release-0.19 May 8, 2024
11 of 13 checks passed
@cxbrowne1207 cxbrowne1207 deleted the fix-vuln-bump-helm-and-controller-runtime branch May 8, 2024 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@d8660091 d8660091

Labels
approved lgtm size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cxbrowne1207 @d8660091 @eks-distro-bot @g-gaston @abhay-krishna