Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: upgrade dex to v2.32.1-distroless #10746

Merged
merged 3 commits into from Sep 30, 2022
Merged

chore: upgrade dex to v2.32.1-distroless #10746

merged 3 commits into from Sep 30, 2022

Conversation

34fathombelow
Copy link
Member

Signed-off-by: Justin Marquis 34fathombelow@protonmail.com

Argo CD version 2.5/master uses ghcr.io/dexidp/dex:v2.32.0-distroless while 2.2-4.x use ghcr.io/dexidp/dex:v2.32.0. The non distroless containers contain a few vulnerabilities at the container level.

CVE Library Score
CVE-2022-30065 busybox 7.8
CVE-2022-37434 zlib 9.8

I created an issue upstream and they agreed to release dex:v2.32.1 which is now available and fixes these vulnerabilities. However they normally only patch the latest 2 versions. I would recommend that we switch to the distroless images.

Unfortunately at this time we cannot upgrade to dex:v2.33.x or dex:v2.34.x, please see #10617

Please consider cherry picking into 2.4, 2.3, and 2.2.

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • Optional. My organization is added to USERS.md.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).

@34fathombelow
chore: upgrade dex to v2.32.1-distroless
ee6790a 
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
@codecov
Copy link

codecov bot commented Sep 29, 2022
edited

Codecov Report

Base: 45.68% // Head: 45.68% // No change to project coverage 👍

Coverage data is based on head (692739d) compared to base (1944141).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #10746   +/-   ##
=======================================
  Coverage   45.68%   45.68%           
=======================================
  Files         236      236           
  Lines       28668    28668           
=======================================
  Hits        13097    13097           
  Misses      13779    13779           
  Partials     1792     1792

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@34fathombelow
Retrigger CI pipeline
50b94fd 
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
@34fathombelow
Retrigger CI pipeline
692739d 
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
crenshaw-dev
crenshaw-dev reviewed Sep 30, 2022
View reviewed changes
.github/workflows/ci-build.yaml
@@ -406,7 +406,7 @@ jobs:
git config --global user.email "john.doe@example.com"
- name: Pull Docker image required for tests
run: |
docker pull quay.io/dexidp/dex:v2.25.0
docker pull ghcr.io/dexidp/dex:v2.32.1-distroless
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. :-)

@crenshaw-dev crenshaw-dev added cherry-pick/2.2 Candidate for cherry picking into the 2.2 release branch cherry-pick/2.3 Candidate for cherry picking into the 2.3 release branch cherry-pick/2.4 Candidate for cherry picking into the 2.4 release branch labels Sep 30, 2022
crenshaw-dev
crenshaw-dev approved these changes Sep 30, 2022
View reviewed changes
Copy link
Collaborator

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you as always @34fathombelow!

@crenshaw-dev crenshaw-dev merged commit 90d5762 into argoproj:master Sep 30, 2022
crenshaw-dev added a commit that referenced this pull request Sep 30, 2022
@crenshaw-dev
chore: upgrade dex to v2.32.1-distroless (#10746)
83931b8 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
crenshaw-dev added a commit that referenced this pull request Sep 30, 2022
@crenshaw-dev
chore: upgrade dex to v2.32.1-distroless (#10746)
919582d 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
crenshaw-dev added a commit that referenced this pull request Sep 30, 2022
@crenshaw-dev
chore: upgrade dex to v2.32.1-distroless (#10746)
05f6491 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev
Copy link
Collaborator

Cherry-picked onto release-2.2 for 2.2.13, release-2.3 for 2.3.8, and release-2.4 for 2.4.13.

@34fathombelow 34fathombelow deleted the dex-upgrade branch September 30, 2022 23:13
ashutosh16 pushed a commit to ashutosh16/argo-cd that referenced this pull request Oct 7, 2022
@34fathombelow @ashutosh16
chore: upgrade dex to v2.32.1-distroless (argoproj#10746)
2d5406a 
* chore: upgrade dex to v2.32.1-distroless

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

* Retrigger CI pipeline

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

* Retrigger CI pipeline

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

Assignees
No one assigned
Labels
cherry-pick/2.2 Candidate for cherry picking into the 2.2 release branch cherry-pick/2.3 Candidate for cherry picking into the 2.3 release branch cherry-pick/2.4 Candidate for cherry picking into the 2.4 release branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@34fathombelow @crenshaw-dev