Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: address CVE-2023-39325 #611

Merged
merged 19 commits into from
Oct 27, 2023
Merged

fix: address CVE-2023-39325 #611

merged 19 commits into from
Oct 27, 2023

Conversation

jaideepr97
Copy link
Collaborator

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind bug
/kind cleanup
/kind failing-test
/kind enhancement
/kind documentation
/kind code-refactoring

What does this PR do / why we need it:
This PR contains the changes needed to address CVE-2023-39325. This includes:

  • upgrading golang tov1.20
  • upgrading k8s.io packages to v0.28.3
  • upgrading controller-runtime to v0.16.3
  • disabling http/2 and defaulting to http/1.1 for the metrics and webhook servers

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

  • Unit Test
  • E2E Test

How to test changes / Special notes to the reviewer:

@openshift-ci openshift-ci bot added the kind/enhancement New feature or request label Oct 24, 2023
@jaideepr97 jaideepr97 changed the title fix: adress CVE-2023-39325 fix: address CVE-2023-39325 Oct 24, 2023
@varshab1210
Changing go version for CI
4fbe54a 
Signed-off-by: varshab1210 <varshab1210@gmail.com>
@varshab1210
Copy link
Member

/test all

@varshab1210
Copy link
Member

Re triggering CI for test failure "no endpoints available for service "openshift-gitops-operator-controller-manager-service"

/retest

@svghadi
Disable http/2 on webhook server
6cff7f8 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Revert "Disable http/2 on webhook server"
54ee213 
This reverts commit 6cff7f8.
Previous changes work as expected.

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@varshab1210
Copy link
Member

/test v4.13-kuttl-sequential

Test failure

@jaideepr97
update kube-rbac-proxy image
f323484 
Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
@jaideepr97
undo makefile changes
59aa476 
Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
@jaideepr97
disable http2 for kube-rbac-proxy
3d26499 
Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
@varshab1210
Copy link
Member

/retest

@jaideepr97
switch to floating tag for kube-rbac-proxy image
5315c4d 
Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
@jaideepr97
consume argocd-operator commit
97ae28b 
Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
@jaideepr97
remove http2 disable command line arg
96a8a37 
Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
@jaideepr97
Copy link
Collaborator Author

/retest-required

@iam-veeramalla
Copy link
Collaborator

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Oct 27, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iam-veeramalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jaideepr97
Copy link
Collaborator Author

/retest-required

@openshift-ci openshift-ci bot merged commit 7087f6b into redhat-developer:master Oct 27, 2023
18 checks passed
trdoyle81 pushed a commit to trdoyle81/gitops-operator that referenced this pull request Aug 13, 2024
@jaideepr97 @varshab1210 @svghadi
fix: address CVE-2023-39325 (redhat-developer#611)
661b784 
* update to go 1.20; disable http2 for servers; upgrade k8s packages

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* remove secure serving option for metrics

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* Changing go version for CI

Signed-off-by: varshab1210 <varshab1210@gmail.com>

* Disable http/2 on webhook server

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

* Revert "Disable http/2 on webhook server"

This reverts commit 6cff7f8.
Previous changes work as expected.

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

* consume keycloak segmentation fault fix

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* update kube-rbac-proxy image

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* undo makefile changes

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* disable http2 for kube-rbac-proxy

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* switch to floating tag for kube-rbac-proxy image

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* consume argocd-operator commit

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

* remove http2 disable command line arg

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>

---------

Signed-off-by: Jaideep Rao <jaideep.r97@gmail.com>
Signed-off-by: varshab1210 <varshab1210@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Co-authored-by: varshab1210 <varshab1210@gmail.com>
Co-authored-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chetan-rns chetan-rns Awaiting requested review from chetan-rns

@sbose78 sbose78 Awaiting requested review from sbose78

Assignees

@iam-veeramalla iam-veeramalla

Labels
approved kind/enhancement New feature or request lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jaideepr97 @varshab1210 @iam-veeramalla @svghadi