Merge branch 'master' into kopiaKanisterIntegrationPhase2

.github/workflows/atlas-image-build.yaml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
+      - uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1
         name: Get changed files
         id: changed-files
         with:
@@ -39,7 +39,7 @@ jobs:
       uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
     - name: Image metadata
       id: meta
-      uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
+      uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0
       with:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: |

.github/workflows/grype-vulnerability-scanner.yaml

@@ -34,10 +34,10 @@ jobs:
     steps:
       - name: Printing Image Registry
         id: image-registry
-        run: echo "image_registry=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).image_registry}}" >>  "$GITHUB_ENV"  
+        run: echo "image_registry=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).image_registry}}" >>  "$GITHUB_ENV"
       - name: Printing Image Tag
         id: image-tag
-        run: echo "image_tag=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).tag}}" >>  "$GITHUB_ENV"  
+        run: echo "image_tag=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).tag}}" >>  "$GITHUB_ENV"
       - name: Printing Image Path
         run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV"
       - name: Running vulnerability scanner
@@ -55,6 +55,6 @@ jobs:
         with:
           ref: master
           path: repo
-      - name: Parsing vulnerability scanner report 
-        run: go run repo/pkg/tools/grype_report_parser_tool.go -s "High,Critical" -p results.json
+      - name: Parsing vulnerability scanner report
+        run: go run repo/pkg/tools/grype_report_parser_tool.go -s "High,Critical" -p results.json --github
 

.github/workflows/kanister-image-build.yaml

@@ -38,11 +38,13 @@ jobs:
     # needs: check-files
     # if: needs.check-files.outputs.changed == 'true'
     steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
     - name: Image metadata
       id: meta
-      uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
+      uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0
       with:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: |
@@ -60,6 +62,7 @@ jobs:
       uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
       with:
         context: "{{defaultContext}}:docker/build"
+        platforms: linux/amd64,linux/arm64
         push: true
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}

.github/workflows/ossf-scorecard.yml

@@ -39,7 +39,7 @@ jobs:
       -
         # Upload the results to GitHub's code scanning dashboard.
         name: "Upload to results to dashboard"
-        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
         with:
           sarif_file: results.sarif
       -

.github/workflows/triage-issues.yaml

@@ -34,7 +34,7 @@ jobs:
           If you haven't already, please take a moment to review our project's [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
     -
       name: Update project
-      uses: alex-page/github-project-automation-plus@v0.8.3
+      uses: alex-page/github-project-automation-plus@v0.9.0
       with:
         repo-token: ${{ secrets.GH_TOKEN }} # must use a PAT here
         project: Kanister

.github/workflows/triage-prs.yaml

@@ -31,7 +31,7 @@ jobs:
           If you haven't already, please take a moment to review our project [contributing guideline](https://github.com/kanisterio/kanister/blob/master/CONTRIBUTING.md) and [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
     -
       name: Update status in project
-      uses: alex-page/github-project-automation-plus@v0.8.3
+      uses: alex-page/github-project-automation-plus@v0.9.0
       # This only works for PRs opened in the same repo and not by dependabot.
       # Other PRs don't get the necessary credentials.
       if: github.repository == 'kanisterio/kanister' && !github.event.pull_request.head.repo.fork

.goreleaser.yml

@@ -24,9 +24,11 @@ builds:
   - amd64
 - id: kando
   binary: kando
-  main: cmd/kando/main.go
+  main: ./cmd/kando
   ldflags: *ldflags
   env: *env
+  tags:
+  - fipsonly
   goos: &goos
   - linux
   goarch: *goarch
@@ -72,6 +74,8 @@ dockers:
   image_templates:
   - 'ghcr.io/kanisterio/postgres-kanister-tools:{{ .Tag }}'
   dockerfile: 'docker/postgres-kanister-tools/Dockerfile'
+  build_flag_templates:
+  - "--build-arg=TOOLS_IMAGE=ghcr.io/kanisterio/kanister-tools:{{ .Tag }}"
 - image_templates:
   - 'ghcr.io/kanisterio/postgresql:{{ .Tag }}'
   dockerfile: 'docker/postgresql/Dockerfile'
@@ -99,11 +103,15 @@ dockers:
   image_templates:
   - 'ghcr.io/kanisterio/mongodb:{{ .Tag }}'
   dockerfile: 'docker/mongodb/Dockerfile'
+  build_flag_templates:
+  - "--build-arg=TOOLS_IMAGE=ghcr.io/kanisterio/kanister-tools:{{ .Tag }}"
 - ids:
   - kando
   image_templates:
   - 'ghcr.io/kanisterio/cassandra:{{ .Tag }}'
   dockerfile: 'docker/cassandra/Dockerfile'
+  build_flag_templates:
+  - "--build-arg=TOOLS_IMAGE=ghcr.io/kanisterio/kanister-tools:{{ .Tag }}"
 - image_templates:
   - 'ghcr.io/kanisterio/kafka-adobe-s3-source-connector:{{ .Tag }}'
   dockerfile: 'docker/kafka-adobes3Connector/image/adobeSource.Dockerfile'

Makefile

@@ -94,8 +94,8 @@ build: bin/$(ARCH)/$(BIN)
 
 build-controller:
 	@$(MAKE) run CMD=" \
-	goreleaser build --id $(BIN) --rm-dist --debug --snapshot \
-	&& cp dist/$(BIN)_linux_$(ARCH)_*/$(BIN) bin/$(ARCH)/$(BIN) \
+	GOOS=linux GOARCH=$(ARCH) goreleaser build --id $(BIN) --rm-dist --debug --snapshot --single-target \
+	&& cp dist/$(BIN)_linux_$(ARCH)*/$(BIN) bin/$(ARCH)/$(BIN) \
 	"
 
 bin/$(ARCH)/$(BIN):

build/package.sh

@@ -35,7 +35,6 @@ build_licenses_info_image() {
         exit 1
     fi
     docker run --rm ${mount_cmd} \
-        --platform linux/${ARCH}\
         "ghcr.io/kanisterio/license-extractor:4e0a91a" \
         --mode merge \
         --source ${src_dir} \

cmd/kando/fipsonly.go

@@ -0,0 +1,19 @@
+// Copyright 2019 The Kanister Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build fipsonly
+
+package main
+
+import _ "crypto/tls/fipsonly" // Required for enabling fips only mode

docker/build/Dockerfile

@@ -1,11 +1,13 @@
 FROM golang:1.21-bullseye
 LABEL maintainer="Tom Manville<tom@kasten.io>"
 
+ARG TARGETPLATFORM
+
 RUN apt-get update && apt-get -y install apt-transport-https ca-certificates bash git gnupg2 software-properties-common curl jq wget \
     && update-ca-certificates
 
 RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \
-    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list
+    && echo "deb [signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list
 
 RUN apt update && apt install -y docker-ce docker-ce-cli containerd.io \
     && apt-get clean
@@ -18,7 +20,8 @@ COPY --from=alpine/helm:3.12.2 /usr/bin/helm /usr/local/bin/
 
 COPY --from=golangci/golangci-lint:v1.55 /usr/bin/golangci-lint /usr/local/bin/
 
-RUN wget -O /usr/local/bin/kind https://github.com/kubernetes-sigs/kind/releases/download/v0.18.0/kind-linux-amd64 \
+RUN wget -O /usr/local/bin/kind \
+      https://github.com/kubernetes-sigs/kind/releases/download/v0.18.0/kind-$(echo $TARGETPLATFORM | tr / -) \
     && chmod +x /usr/local/bin/kind
 
 RUN git config --global --add safe.directory /go/src/github.com/kanisterio/kanister

docker/cassandra/Dockerfile

@@ -1,9 +1,17 @@
-FROM bitnami/cassandra:3.11.8-debian-10-r20
+# We get tools from tools image
+# Tools are not up to date in debian repos
+ARG TOOLS_IMAGE
+FROM ${TOOLS_IMAGE} AS TOOLS_IMAGE
+
+# Actual image base
+FROM bitnami/cassandra:4.1.3-debian-11-r76
 
 MAINTAINER "Tom Manville <tom@kasten.io>"
 
 # Install restic to take backups
-COPY --from=restic/restic:0.11.0 /usr/bin/restic /usr/local/bin/restic
+COPY --from=TOOLS_IMAGE /usr/local/bin/restic /usr/local/bin/restic
+# Update gosu from recent version
+COPY --from=TOOLS_IMAGE /usr/local/bin/gosu /usr/local/bin/gosu
 
-# Install kando 
+# Install kando
 ADD kando /usr/local/bin/

docker/kafka-adobes3Connector/image/adobeSink.Dockerfile

@@ -1,11 +1,10 @@
-FROM confluentinc/cp-kafka-connect:6.1.0
+FROM confluentinc/cp-kafka-connect:7.4.3
 
 USER root
 
-RUN microdnf install -y lsof
-
-# copy the jar files
+RUN microdnf install -y lsof platform-python python3-libs
 
+# TODO: maybe use builder image for that
 RUN microdnf install -y \
    java-1.8.0-openjdk \
    java-1.8.0-openjdk-devel
@@ -14,9 +13,14 @@ ENV JAVA_HOME /usr/lib/jvm/java-1.8.0-openjdk/
 RUN microdnf install git -y
 RUN java -version
 RUN git clone https://github.com/adobe/kafka-connect-s3.git
+# Temp patch until vulnerable deps are fixed
+RUN sed -i "s/versions.awsSdkS3 = '1.11.803'/versions.awsSdkS3 = '1.12.261'/g" kafka-connect-s3/dependencies.gradle
+RUN sed -i "s/versions.jackson = '2.10.4'/versions.jackson = '2.12.7.1'/g" kafka-connect-s3/dependencies.gradle
 RUN cd kafka-connect-s3 && ./gradlew shadowJar
 # copy the jar files
 RUN cp ./kafka-connect-s3/build/libs/kafka-connect-s3-chart/kafka-connect/0.0.4-2a8a4aa-all.jar /opt/
+# cleanup
+RUN rm -rf ~/.gradle ./kafka-connect-s3
 
 # Install kando
 ADD kando /usr/local/bin/

docker/kafka-adobes3Connector/image/adobeSource.Dockerfile

@@ -1,8 +1,11 @@
-FROM confluentinc/cp-kafka-connect:6.1.0
+FROM confluentinc/cp-kafka-connect:7.4.3
 
 USER root
-# copy the jar files
 
+RUN microdnf install -y \
+   platform-python python3-libs
+
+# TODO: maybe use builder image for that
 RUN microdnf install -y \
    java-1.8.0-openjdk \
    java-1.8.0-openjdk-devel
@@ -11,9 +14,14 @@ ENV JAVA_HOME /usr/lib/jvm/java-1.8.0-openjdk/
 RUN microdnf install git -y
 RUN java -version
 RUN git clone https://github.com/adobe/kafka-connect-s3.git
+# Temp patch until vulnerable deps are fixed
+RUN sed -i "s/versions.awsSdkS3 = '1.11.803'/versions.awsSdkS3 = '1.12.261'/g" kafka-connect-s3/dependencies.gradle
+RUN sed -i "s/versions.jackson = '2.10.4'/versions.jackson = '2.12.7.1'/g" kafka-connect-s3/dependencies.gradle
 RUN cd kafka-connect-s3 && ./gradlew shadowJar
-
+# copy the jar files
 RUN cp ./kafka-connect-s3/build/libs/kafka-connect-s3-chart/kafka-connect/0.0.4-2a8a4aa-all.jar /opt/
+# cleanup
+RUN rm -rf ~/.gradle ./kafka-connect-s3
 
 # adding script to monitor source connector
 COPY docker/kafka-adobes3Connector/image/adobe-monitorsource.sh monitorconnect.sh

docker/kanister-elasticsearch/image/Dockerfile

@@ -1,3 +1,5 @@
+# We get tools from tools image
+# Tools are not up to date in debian repos
 ARG TOOLS_IMAGE
 FROM ${TOOLS_IMAGE} AS TOOLS_IMAGE
 
@@ -10,7 +12,7 @@ RUN apt update
 RUN apt install -y npm bash curl libcap2-bin
 RUN curl -fsSL https://deb.nodesource.com/setup_current.x | bash - && \
  apt-get install -y nodejs
-RUN npm install -g npm yo grunt-cli bower express
+RUN npm install -g npm
 RUN npm install elasticdump -g
 
 RUN setcap cap_chown,cap_fowner,cap_dac_override+iep /usr/local/bin/kopia

docker/mongodb/Dockerfile

@@ -1,6 +1,14 @@
-FROM bitnami/mongodb:5.0.14-debian-11-r0
+# We get tools from tools image
+# Tools are not up to date in debian repos
+ARG TOOLS_IMAGE
+FROM ${TOOLS_IMAGE} AS TOOLS_IMAGE
+
+FROM bitnami/mongodb:7.0.4-debian-11-r0
 
 LABEL maintainer="Tom Manville <tom@kasten.io>"
 
+# Update gosu from recent version
+COPY --from=TOOLS_IMAGE /usr/local/bin/gosu /usr/local/bin/gosu
+
 # Install kando
 ADD kando /usr/local/bin/

docker/postgres-kanister-tools/Dockerfile

@@ -1,4 +1,10 @@
-FROM postgres:16-bullseye
+# We get tools from tools image
+# Tools are not up to date in debian repos
+ARG TOOLS_IMAGE
+FROM ${TOOLS_IMAGE} AS TOOLS_IMAGE
+
+# Actual image base
+FROM postgres:16.1-bullseye
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -9,7 +15,11 @@ RUN apt-get update && apt-get -y install curl python3 groff less jq python3-pip
     pip3 install --upgrade awscli && \
     apt-get clean
 
-COPY --from=restic/restic:0.11.0 /usr/bin/restic /usr/local/bin/restic
+# Install restic to take backups
+COPY --from=TOOLS_IMAGE /usr/local/bin/restic /usr/local/bin/restic
+# Update gosu from recent version
+COPY --from=TOOLS_IMAGE /usr/local/bin/gosu /usr/local/bin/gosu
+
 ADD kando /usr/local/bin/
 
 CMD ["tail", "-f", "/dev/null"]

docker/tools/Dockerfile

@@ -3,6 +3,8 @@ FROM golang:1.21-bullseye AS builder
 
 ARG kopia_build_commit=master
 ARG kopia_repo_org=kopia
+ARG restic_vsn=v0.16.2
+ARG gosu_vsn=1.17
 ENV CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GO_EXTLINK_ENABLED=0
 RUN apt-get install git
 
@@ -17,8 +19,24 @@ ENV GITHUB_REPOSITORY=https://github.com/restic/restic
 
 WORKDIR /restic
 
-RUN git checkout v0.16.2
-RUN go run build.go
+RUN git checkout ${restic_vsn} && \
+    echo 'package main' > cmd/restic/fipsonly.go && \
+    echo 'import _ "crypto/tls/fipsonly"' >> cmd/restic/fipsonly.go
+# use debug flag to preserve symbols
+RUN go run build.go --tags debug
+
+# Build restic binary from source - released version
+# This will allow us to bring in security fixes more up to date then apt repos
+WORKDIR /
+
+RUN git clone https://github.com/tianon/gosu.git
+
+ENV GITHUB_REPOSITORY=https://github.com/tianon/gosu
+
+WORKDIR /gosu
+
+RUN git checkout ${gosu_vsn}
+RUN go build -o gosu
 
 # Build kopia binary from specific commit
 WORKDIR /
@@ -29,7 +47,9 @@ ENV GITHUB_REPOSITORY=https://github.com/${kopia_repo_org}/kopia
 
 WORKDIR /kopia
 
-RUN git checkout ${kopia_build_commit}
+RUN git checkout ${kopia_build_commit} && \
+    echo 'package main' > fipsonly.go && \
+    echo 'import _ "crypto/tls/fipsonly"' >> fipsonly.go
 
 RUN GO111MODULE=on GOOS=linux GOARCH=amd64 go build -o kopia \
   -ldflags="-X github.com/kopia/kopia/repo.BuildVersion=$(git show --no-patch --format='%cs-%h') \
@@ -65,6 +85,7 @@ LABEL name="kanister-tools" \
     description="Tools for application-specific data protection"
 
 COPY --from=builder /restic/restic /usr/local/bin/restic
+COPY --from=builder /gosu/gosu /usr/local/bin/gosu
 COPY --from=builder /kopia/kopia /usr/local/bin/kopia
 COPY LICENSE /licenses/LICENSE
 

examples/aws-rds/postgresql/README.md

@@ -9,7 +9,7 @@ This example is to demonstrate how Kanister can be integrated with AWS RDS insta
 ## Prerequisites
 
 - Kubernetes 1.10+
-- Kanister controller version 0.103.0 installed in your cluster
+- Kanister controller version 0.104.0 installed in your cluster
 - Kanctl CLI installed (https://docs.kanister.io/tooling.html#kanctl)
 
 ## Create RDS instance on AWS