Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: enable sha256 and sha512 for git ssh #18028

Merged
merged 4 commits into from
Apr 30, 2024

Conversation

zamedic
Copy link
Contributor

@zamedic zamedic commented Apr 30, 2024

Azure devops is sunsetting sha1, which is currently causing the issues as per
Fixes #17634

the knownhost library added the missing sha256 and sha512 algorithms in version 1.2.2
skeema/knownhosts@bd8e67e

This fix bumps the go.mod to use the new version and has been tested on our local clusters.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@zamedic zamedic requested a review from a team as a code owner April 30, 2024 09:43
…allows for sha256 and sha512 algorithms when using git ssh

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Copy link
Member

@jannfis jannfis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @zamedic

@jannfis jannfis merged commit a63068d into argoproj:master Apr 30, 2024
27 checks passed
@jannfis
Copy link
Member

jannfis commented Apr 30, 2024

/cherry-pick release-2.10

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Apr 30, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>

* chore: remove older version of module from go sum

Signed-off-by: Marc Arndt <m.arndt@evana.de>

---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
@jannfis
Copy link
Member

jannfis commented Apr 30, 2024

/cherry-pick release-2.9

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Apr 30, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>

* chore: remove older version of module from go sum

Signed-off-by: Marc Arndt <m.arndt@evana.de>

---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
@jannfis
Copy link
Member

jannfis commented Apr 30, 2024

/cherry-pick release-2.8

Copy link

Cherry-pick failed with Merge error a63068d06fdeb0463f9fb4f6cb705a0b1cf7cece into temp-cherry-pick-ff6fdf-release-2.8

jannfis pushed a commit that referenced this pull request Apr 30, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh




* chore: remove older version of module from go sum



---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <marc@marcarndt.com>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
@jannfis
Copy link
Member

jannfis commented Apr 30, 2024

/cherry-pick release-2.11

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Apr 30, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>

* chore: remove older version of module from go sum

Signed-off-by: Marc Arndt <m.arndt@evana.de>

---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
jannfis pushed a commit that referenced this pull request Apr 30, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh




* chore: remove older version of module from go sum



---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <marc@marcarndt.com>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
jannfis pushed a commit that referenced this pull request Apr 30, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh




* chore: remove older version of module from go sum



---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <marc@marcarndt.com>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
pasha-codefresh added a commit to codefresh-io/argo-cd that referenced this pull request May 14, 2024
* fix: elements should be optional (argoproj#17424) (argoproj#17510)

A bug was reported, where an applicationset with an empty elements
array, when created with `argocd appset create <filename>.yaml` gets a
`...list.elements: Required value` error.

My hypothesis is that when calling the K8s API, golang JSON marshalling
mangles the empty `elements` array to `nil`, rather than creating an
empty array when submitting the `POST`.

Still need to figure out why the same setup seemingly works fine when
the same appset is in an app-of-apps.

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>

* Merge pull request from GHSA-jhwx-mhww-rgc3

* sec: limit helm index max size

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* sec: limit helm index max size

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: fix tests and linter

Signed-off-by: pashakostohrys <pavel@codefresh.io>

---------

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* Bump version to 2.10.5 (argoproj#17654)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: pasha-codefresh <pasha-codefresh@users.noreply.github.com>

* fix cosign (argoproj#17656)

Signed-off-by: Justin Marquis <justin@akuity.io>

* chore(deps): bump webpack-dev-middleware from 5.3.1 to 5.3.4 in /ui (argoproj#17598) (argoproj#17686)

Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.1 to 5.3.4.
- [Release notes](https://github.com/webpack/webpack-dev-middleware/releases)
- [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md)
- [Commits](webpack/webpack-dev-middleware@v5.3.1...v5.3.4)

---
updated-dependencies:
- dependency-name: webpack-dev-middleware
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(ui): Fix color generation for pod name in logs viewer. Fixes argoproj#17704 (argoproj#17706) (argoproj#17710)

* Fix color generation for pod name in logs viewer



* Add rebuy to users.md



---------

Signed-off-by: Philipp Trulson <der-eismann@users.noreply.github.com>
Co-authored-by: Philipp Trulson <der-eismann@users.noreply.github.com>

* fix: fix calculating patch for respect ignore diff feature (argoproj#17693)

* test: unit test for respectIgnoreDifferences bug

Signed-off-by: Jesse Suen <jesse@akuity.io>

* test: simplify unit test

Signed-off-by: Jesse Suen <jesse@akuity.io>

* fix: fix calculating patch for respect ignore diff feature

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

---------

Signed-off-by: Jesse Suen <jesse@akuity.io>
Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
Co-authored-by: Jesse Suen <jesse@akuity.io>

* fix(security): use Chainguard fork of git-urls (argoproj#17732) (argoproj#17735)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* Bump version to 2.10.6 (argoproj#17744)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: alexmt <alexmt@users.noreply.github.com>

* Merge pull request from GHSA-2gvw-w6fj-7m3c

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* Bump version to 2.10.7 (argoproj#17831)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: pasha-codefresh <pasha-codefresh@users.noreply.github.com>

* fix: docker build fails due to "The repository 'http://deb.debian.org/debian buster-backports Release' does not have a Release file."

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix: codegen and e2e tests in release-2.10 (argoproj#17844)

* fix: codegen and e2e tests

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix: codegen and e2e tests

Signed-off-by: pashakostohrys <pavel@codefresh.io>

---------

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: upgrade redis to 7.0.15 (argoproj#17666)

Upgrade to latest stable 7.0.x version to fix CVEs:

CVE-2023-41056

Signed-off-by: Tais P. Hansen <taishansen@gmail.com>

* Merge pull request from GHSA-9m6p-x4h2-6frq

* feat: limit jq.Run with timeout

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: ignore normalizer jq execution timeout as env variable

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: customize error message and add doc section

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: improve log and change a way how to get variable

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: fix import`s order

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: rename variable inside sts

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: fix import order

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: fix import`s order

Signed-off-by: pashakostohrys <pavel@codefresh.io>

---------

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* Merge pull request from GHSA-9m6p-x4h2-6frq

* feat: limit jq.Run with timeout

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: ignore normalizer jq execution timeout as env variable

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: customize error message and add doc section

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: improve log and change a way how to get variable

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: fix import`s order

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: rename variable inside sts

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: fix import order

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* chore: fix import`s order

Signed-off-by: pashakostohrys <pavel@codefresh.io>

---------

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix: codegen after security fix - 2.10 (argoproj#17985)

* fix: codegen after security fix

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix: codegen after security fix

Signed-off-by: pashakostohrys <pavel@codefresh.io>

---------

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* Bump version to 2.10.8 (argoproj#17990)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: pasha-codefresh <39732895+pasha-codefresh@users.noreply.github.com>

* fix: enable sha256 and sha512 for git ssh (argoproj#18028) (argoproj#18029)

* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh




* chore: remove older version of module from go sum



---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <marc@marcarndt.com>
Co-authored-by: Marc Arndt <m.arndt@evana.de>

* Bump version to 2.10.9 (argoproj#18033)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: jannfis <3942683+jannfis@users.noreply.github.com>

* fix: status.sync.comparedTo should use replace patch strategy (argoproj#18061) (argoproj#18075)

* fix: status.sync.comparedTo should use replace patch strategy



* add e2e tests



---------

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* chore: bump go-jose from 3.0.1 to 3.0.3 (argoproj#18102)

Signed-off-by: Jayendra Parsai <jparsai@jparsai-thinkpadp1gen4i.remote.csb>
Co-authored-by: Jayendra Parsai <jparsai@jparsai-thinkpadp1gen4i.remote.csb>

* docs: fix 404 styling (argoproj#18094) (argoproj#18105)

* docs: fix 404 styling



* hack around custom tag destruction



---------

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* chore: update gitops engine for force sync option (argoproj#5882) - 2.10 (argoproj#18123)

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix: Enable Redis authentication in the default installation

* fix: linter issue

* fix: linter issue

---------

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: pashakostohrys <pavel@codefresh.io>
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Justin Marquis <justin@akuity.io>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Philipp Trulson <der-eismann@users.noreply.github.com>
Signed-off-by: Jesse Suen <jesse@akuity.io>
Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Tais P. Hansen <taishansen@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Signed-off-by: Jayendra Parsai <jparsai@jparsai-thinkpadp1gen4i.remote.csb>
Co-authored-by: gcp-cherry-pick-bot[bot] <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: pasha-codefresh <pasha-codefresh@users.noreply.github.com>
Co-authored-by: Justin Marquis <76892343+34fathombelow@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Philipp Trulson <der-eismann@users.noreply.github.com>
Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
Co-authored-by: Jesse Suen <jesse@akuity.io>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: alexmt <alexmt@users.noreply.github.com>
Co-authored-by: Tais P. Hansen <taisph@users.noreply.github.com>
Co-authored-by: Marc Arndt <marc@marcarndt.com>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: jannfis <3942683+jannfis@users.noreply.github.com>
Co-authored-by: Jayendra Parsai <jparsai@redhat.com>
Co-authored-by: Jayendra Parsai <jparsai@jparsai-thinkpadp1gen4i.remote.csb>
Co-authored-by: May Zhang <may_zhang@intuit.com>
mkieweg pushed a commit to mkieweg/argo-cd that referenced this pull request Jun 11, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>

* chore: remove older version of module from go sum

Signed-off-by: Marc Arndt <m.arndt@evana.de>

---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
Hariharasuthan99 pushed a commit to AmadeusITGroup/argo-cd that referenced this pull request Jun 16, 2024
* fix: bumping the knownhosts to v1.2.2 since this contains a fix that allows for sha256 and sha512 algorithms when using git ssh

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>

* chore: remove older version of module from go sum

Signed-off-by: Marc Arndt <m.arndt@evana.de>

---------

Signed-off-by: Marc Arndt <marc@marcarndt.com>
Signed-off-by: Marc Arndt <m.arndt@evana.de>
Co-authored-by: Marc Arndt <m.arndt@evana.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ArgoCD Repo Server stops pulling git repositories due to Azure Devops Repos current sunset SSH-RSA strategy
2 participants