Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Alpine to v3.14 #360

Merged
merged 1 commit into from
Nov 16, 2021
Merged

Update Alpine to v3.14 #360

merged 1 commit into from
Nov 16, 2021

Conversation

vespian
Copy link
Contributor

@vespian vespian commented Nov 16, 2021
edited
Loading

This mitigates alerts from security scanners, when scanning helm-controller docker image:

Adding patchlevel version allows for more reproducible builds.

@vespian vespian force-pushed the prozlach/bump_alpine_image branch from 91d0c7d to ee9ef03 Compare November 16, 2021 09:48
@stefanprodan
Copy link
Member

stefanprodan commented Nov 16, 2021
edited
Loading

Adding patchlevel version allows for more reproducible builds.

It also means new CVE fixes will not land in Flux releases unless someone bumps the patch version of Alpine in all our controllers. I’m not for doing this in Flux.

@makkes
Copy link
Member

makkes commented Nov 16, 2021

Omitting the patch version worked pretty well in the past so I suppose let's leave it like that and just bump to 3.14.

@stefanprodan
Copy link
Member

@makkes we need to update Alpine to 3.14 for all the Flux components that use it as base image:

  • kustomize-controller
  • helm-controller
  • notification-controller
  • image-reflector-controller
  • flux-cli (Dockerfile in flux2 repo)

We use Debian in source-controller and image-automation-controller and that has many OS CVEs too.

@vespian
Copy link
Contributor Author

vespian commented Nov 16, 2021
edited
Loading

We may also consider closing this PR.

Alpine 3.13 is going to be supported until 2022-11-01. If the policy is to use the latest Alpine minor-version image during the release time (i.e. do not specify patchlevel version in the Dockerfile), then all recent flux releases that fetched 3.13.7 version are OK.

Bumping 3.14 makes sense if all flux containers should use the same Alpine minor release.

Let me know what you think.

@stefanprodan
Copy link
Member

stefanprodan commented Nov 16, 2021
edited
Loading

I'm for bumping Alpine to 3.14 in all Flux controllers and flux-cli.

@vespian
Update Alpine to v3.14
1fc834d 
Signed-off-by: Pawel Rozlach <vespian@users.noreply.github.com>
@vespian vespian force-pushed the prozlach/bump_alpine_image branch from ee9ef03 to 1fc834d Compare November 16, 2021 11:08
@vespian
Copy link
Contributor Author

vespian commented Nov 16, 2021

I'm for bumping Alpine to 3.14 in all Flux controllers and flux-cli.

ACK I adjusted the PR as requested. Please have another look.

@makkes
Copy link
Member

makkes commented Nov 16, 2021

@vespian would you be up for bumping the Alpine version in the other controllers, too?

@stefanprodan stefanprodan added the area/ci CI related issues and pull requests label Nov 16, 2021
@vespian
Copy link
Contributor Author

vespian commented Nov 16, 2021

@vespian would you be up for bumping the Alpine version in the other controllers, too?

Sure thing.

@makkes makkes merged commit 4081e94 into fluxcd:main Nov 16, 2021
@vespian vespian deleted the prozlach/bump_alpine_image branch November 16, 2021 12:32
This was referenced Nov 16, 2021
Merged
Merged
Merged
@vespian
Copy link
Contributor Author

vespian commented Nov 16, 2021

@makkes we need to update Alpine to 3.14 for all the Flux components that use it as base image:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@makkes makkes makkes approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vespian @stefanprodan @makkes