Skip to content

fix: address CVE-2023-39325 #611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Oct 27, 2023
Merged

fix: address CVE-2023-39325 #611

merged 19 commits into from
Oct 27, 2023

Conversation

jaideepr97
Copy link
Contributor

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind bug
/kind cleanup
/kind failing-test
/kind enhancement
/kind documentation
/kind code-refactoring

What does this PR do / why we need it:
This PR contains the changes needed to address CVE-2023-39325. This includes:

  • upgrading golang tov1.20
  • upgrading k8s.io packages to v0.28.3
  • upgrading controller-runtime to v0.16.3
  • disabling http/2 and defaulting to http/1.1 for the metrics and webhook servers

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

  • Unit Test
  • E2E Test

How to test changes / Special notes to the reviewer:

@openshift-ci openshift-ci bot added the kind/enhancement New feature or request label Oct 24, 2023
@openshift-ci openshift-ci bot requested review from chetan-rns and sbose78 October 24, 2023 22:18
@jaideepr97 jaideepr97 changed the title fix: adress CVE-2023-39325 fix: address CVE-2023-39325 Oct 24, 2023
@varshab1210
Changing go version for CI
4fbe54a 
Signed-off-by: varshab1210 <[email protected]>
@varshab1210
Copy link
Member

/test all

@varshab1210
Copy link
Member

Re triggering CI for test failure "no endpoints available for service "openshift-gitops-operator-controller-manager-service"

/retest

@svghadi
Disable http/2 on webhook server
6cff7f8 
Signed-off-by: Siddhesh Ghadi <[email protected]>
@svghadi
Revert "Disable http/2 on webhook server"
54ee213 
This reverts commit 6cff7f8.
Previous changes work as expected.

Signed-off-by: Siddhesh Ghadi <[email protected]>
@svghadi svghadi force-pushed the fix-cve-2023-39325 branch from 80b770b to 54ee213 Compare October 25, 2023 10:47
@varshab1210
Copy link
Member

/test v4.13-kuttl-sequential

Test failure

@varshab1210
Copy link
Member

/retest

@jaideepr97
Copy link
Contributor Author

/retest-required

@iam-veeramalla
Copy link
Contributor

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Oct 27, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iam-veeramalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jaideepr97
Copy link
Contributor Author

/retest-required

@openshift-ci openshift-ci bot merged commit 7087f6b into redhat-developer:master Oct 27, 2023
trdoyle81 pushed a commit to trdoyle81/gitops-operator that referenced this pull request Aug 13, 2024
@jaideepr97 @varshab1210 @svghadi
fix: address CVE-2023-39325 (redhat-developer#611)
661b784 
* update to go 1.20; disable http2 for servers; upgrade k8s packages

Signed-off-by: Jaideep Rao <[email protected]>

* remove secure serving option for metrics

Signed-off-by: Jaideep Rao <[email protected]>

* Changing go version for CI

Signed-off-by: varshab1210 <[email protected]>

* Disable http/2 on webhook server

Signed-off-by: Siddhesh Ghadi <[email protected]>

* Revert "Disable http/2 on webhook server"

This reverts commit 6cff7f8.
Previous changes work as expected.

Signed-off-by: Siddhesh Ghadi <[email protected]>

* consume keycloak segmentation fault fix

Signed-off-by: Jaideep Rao <[email protected]>

* update kube-rbac-proxy image

Signed-off-by: Jaideep Rao <[email protected]>

* undo makefile changes

Signed-off-by: Jaideep Rao <[email protected]>

* disable http2 for kube-rbac-proxy

Signed-off-by: Jaideep Rao <[email protected]>

* switch to floating tag for kube-rbac-proxy image

Signed-off-by: Jaideep Rao <[email protected]>

* consume argocd-operator commit

Signed-off-by: Jaideep Rao <[email protected]>

* remove http2 disable command line arg

Signed-off-by: Jaideep Rao <[email protected]>

---------

Signed-off-by: Jaideep Rao <[email protected]>
Signed-off-by: varshab1210 <[email protected]>
Signed-off-by: Siddhesh Ghadi <[email protected]>
Co-authored-by: varshab1210 <[email protected]>
Co-authored-by: Siddhesh Ghadi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chetan-rns chetan-rns Awaiting requested review from chetan-rns

@sbose78 sbose78 Awaiting requested review from sbose78

Assignees

@iam-veeramalla iam-veeramalla

Labels
approved kind/enhancement New feature or request lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jaideepr97 @varshab1210 @iam-veeramalla @svghadi