Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of [NET-2420] security: Upgrade helm containerd and several other dependencies into release/1.1.x #3638

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #3625 to be assessed for backporting due to the inclusion of the label backport/1.1.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.


This upgrades several dependencies to address open CVEs in the cli module (caused by our consumption of 3rd-party libs for API clients that are bundled w/ unused runtimes, where a non-impacting vulnerability actually exists) and cross-compatibility between upgraded modules.

This will allow us to re-enable release blocks on Go module scan results in CRT, previously disabled in:

Changes proposed in this PR

Upgrade the following (split by commit to aid review):

  • helm/v3 3.9.4 -> 3.11.3
    • Later versions have introduced breaking changes. I believe we will eventually want to match our helm version to K8s per this matrix, but the current goal is to address open CVEs, not correct the version alignment.
  • k8s.io/ dependencies 1.26.? -> 1.26.10 to match controller-runtime / helm
  • containerd 1.3.0 -> 1.7.13 (latest)
  • docker/docker 23.0.3+incompatible -> 25.0.2+incompatible (latest)
  • oras.land/oras-go 1.2.2 -> 1.2.5 to fix docker incompatibility
  • docker/distribution 2.8.1+incompatible -> 2.8.3+incompatible (latest)
  • cyphar/filepath-securejoin 0.2.3 -> 0.2.4 (latest 0.x patch)

Automated backports will almost certainly fail, but I've added the labels JIC they're successful and to make it clear this should be backported.

How I've tested this PR

CI and acceptance tests continue to pass.

How I expect reviewers to test this PR

👀 + 💭

Checklist


Overview of commits

@hashicorp-cla
Copy link

hashicorp-cla commented Feb 16, 2024

CLA assistant check
All committers have signed the CLA.

@zalimeni zalimeni force-pushed the backport/zalimeni/upgrade-helm-containerd/finally-noble-lamprey branch 2 times, most recently from c307d19 to 493dcf0 Compare February 16, 2024 15:15
@zalimeni zalimeni force-pushed the backport/zalimeni/upgrade-helm-containerd/finally-noble-lamprey branch from 493dcf0 to 3d507f3 Compare February 16, 2024 15:58
@zalimeni zalimeni marked this pull request as ready for review February 16, 2024 16:03
@zalimeni
Copy link
Member

I've hand-checked this diff for alignment w/ the original change after manually applying each individual bump from that PR. I don't see any red-flag differences in the deps diffs, and they're mostly-similar due to backports apart from a few that were apparently missed on some branches in the past.

@zalimeni zalimeni merged commit 16ff1c2 into release/1.1.x Feb 17, 2024
40 checks passed
@zalimeni zalimeni deleted the backport/zalimeni/upgrade-helm-containerd/finally-noble-lamprey branch February 17, 2024 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants