Giter Site home page Giter Site logo

delineaxpm / dsv-k8s Goto Github PK

View Code? Open in Web Editor NEW
13.0 5.0 8.0 630 KB

A Delinea DevOps Secrets Vault Kubernetes Secrets Injector and Syncer

Home Page: https://delinea.com/products/devops-secrets-management-vault

License: MIT License

Dockerfile 1.47% Makefile 6.25% Smarty 3.02% Go 79.86% Shell 3.85% Batchfile 0.27% Starlark 5.28%
delinea dsv k8s thycotic

dsv-k8s's People

Contributors

allcontributors[bot] avatar amigus avatar delineakrehl avatar endlesstrax avatar forced-request avatar mend-for-github-com[bot] avatar pacificcode avatar renovate[bot] avatar sheldonhull avatar tylerezimmerman avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

the-migus-group hrshxyz 4killo andrii-zakurenyi odinmorningstar ibdelinea tosta-mista pacificcode

dsv-k8s's Issues

Action Required: Fix Mend Configuration File - .whitesource - autoclosed

There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

  • Failed to parse configuration file: DelineaXPM/dsv-k8s/.whitesource: Expected name at line 9 column 4 path $.scanSettings.displayLicenseViolations

github.com/magefile/mage-v1.13.0: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - github.com/magefile/mage-v1.13.0

a Make/rake-like dev tool using Go

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-11023 Medium 6.1 github.com/magefile/mage-v1.13.0 Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 github.com/magefile/mage-v1.13.0 Direct jQuery - 3.5.0
CVE-2015-9251 Medium 6.1 github.com/magefile/mage-v1.13.0 Direct jQuery - v3.0.0
CVE-2019-11358 Medium 6.1 github.com/magefile/mage-v1.13.0 Direct 3.4.0

Details

CVE-2020-11023

Vulnerable Library - github.com/magefile/mage-v1.13.0

a Make/rake-like dev tool using Go

Dependency Hierarchy:

  • github.com/magefile/mage-v1.13.0 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

CVE-2020-11022

Vulnerable Library - github.com/magefile/mage-v1.13.0

a Make/rake-like dev tool using Go

Dependency Hierarchy:

  • github.com/magefile/mage-v1.13.0 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2015-9251

Vulnerable Library - github.com/magefile/mage-v1.13.0

a Make/rake-like dev tool using Go

Dependency Hierarchy:

  • github.com/magefile/mage-v1.13.0 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

CVE-2019-11358

Vulnerable Library - github.com/magefile/mage-v1.13.0

a Make/rake-like dev tool using Go

Dependency Hierarchy:

  • github.com/magefile/mage-v1.13.0 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Implement an UPDATE "exemption" mechanism in the injector for the syncer AB#449116

Background

The latest version of this repository introduced a new component, the “syncer.” After the injector has done the initial patch, it works with the syncer to re-patch annotated k8s secrets when required.

Problem

When the syncer was added, the injector was re-configured to only act on Kubernetes secret CREATE not UPDATE, as it did previously. This was to avoid a “double-update” when the syncer runs. However, it resulted in an integration bug whereby updating a Kubernetes secret with an unannotated input drops the annotations and does not get patched then or subsequently.

Solution

The injector and syncer will share an “exemption” token. When the syncer updates a secret, it will use the exemption token to tell the injector that it should not operate on this secret because the syncer already has.

Design

Both the injector and the syncer will be updated to create/overwrite and read the exemption token from a Kubernetes secret that both components have access to.
Both charts will need a mechanism for creating and specifying overwrite behavior on/for the exemption token. However, a non-default overwrite setting in the chart values should be sufficient as overwrite is not frequently or generally useful.
The secret itself will be a base64 encoded UUID. However, any base64 encoded string that is 40 characters or more in length will be considered valid.

Implementation

  • Chart updates:
    o Both components need an RBAC role to share the exemption token.
    o A service account for the injector so that it can manipulate the exemption token.
    o Add “UPDATE” back to the injector webhook YAML.
    o A new annotation to carry the exemption token.
  • Code changes
    o Add code to the syncer that adds the exemption token to the Kubernetes secret that it is patching, using the new annotation
    o Enable the injector and syncer to create, read, and, when specified, overwrite the exemption token Kubernetes secret.
    o Enable the injector to check for the exemption token and complete without patching when it is present. It matches the value in the Kubernetes secret that the injector and syncer share.

Considerations

The injector will now have a service account, authenticate itself to the cluster, and have a role that reads a secret. In the current version, the injector has no rights to the cluster, nor is it aware of whether it is a part of one.
A malicious actor can theoretically steal the exemption token; however, any practical attack would require more access than the token would grant them.

TL;DR

A shared “exemption token” will be added to the injector and syncer such that the syncer adds the exemption token and the injector does not act on UPDATE the Kubernetes secret when the exemption token is present matching. A malicious actor would need more access to steal the exemption token than it is worth.

related AB#449116

Improve documentation (v1.2.2)

Hello,

I tried to follow your documentation, in order to install dsv-syncer and injector on a Kubernetes cluster (rke2). As we have our instance located in europe (tld = eu).

Unfortunately, in the documentation there's no example to change the TLD so I decided to add it in my PR.

I also got a patch error (on the syncer side) if I didn't add a dummy value in the secret data, so I also modified this part in the documentation.

Thank you for the work you do and I hope my PR is done properly.

Best regards,

k8s.io/apimachinery-v0.24.4: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - k8s.io/apimachinery-v0.24.4

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-30633 High 7.5 github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc Transitive N/A
CVE-2022-28131 High 7.5 github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc Transitive N/A

Details

CVE-2022-30633

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/apimachinery-v0.24.4 (Root Library)
    • github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Publish Date: 2022-08-10

URL: CVE-2022-30633

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

CVE-2022-28131

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/apimachinery-v0.24.4 (Root Library)
    • github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Publish Date: 2022-08-10

URL: CVE-2022-28131

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131

Release Date: 2022-03-29

Fix Resolution: go1.17.12,go1.18.4

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

  • chore(deps): update github-actions (elgohr/go-vulncheck-action, github/codeql-action)
  • chore(deps): update gomod to v0.31.0 (k8s.io/apimachinery, k8s.io/client-go)
  • chore(deps): update ⬆️ regex matched resources to v2.30.0
  • chore(deps): update github-actions (major) (actions/cache, actions/checkout, aquaproj/aqua-installer, codecov/codecov-action, docker/login-action, github/codeql-action, magefile/mage-action, magnetikonline/action-golang-cache)
  • chore(deps): update gomod (major) (github.com/brianvoe/gofakeit/v6, github.com/caarlos0/env/v6, github.com/imdario/mergo)
  • chore(deps): update ⬆️ aqua-packages (aquaproj/aqua-registry, golang/go, golangci/golangci-lint, goreleaser/goreleaser, helm/helm, kubernetes-sigs/kind, mvdan/gofumpt)
  • 🔐 Create all pending approval PRs at once 🔐

Detected dependencies

dockerfile
.devcontainer/Dockerfile
Dockerfile
docker/Dockerfile.chainguard
docker/Dockerfile.distroless
github-actions
.github/workflows/assign.yml
  • delineaxpm/github-workflows main
.github/workflows/changie-trigger-release.yml
  • delineaxpm/github-workflows main
.github/workflows/conventional-pr.yml
  • delineaxpm/github-workflows main
.github/workflows/lint.yml
  • delineaxpm/github-workflows main
.github/workflows/release.yml
  • actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
  • magnetikonline/action-golang-cache v3@797f193169d3c8ba6f60d90f50ecdadd2583fbd8
  • aquaproj/aqua-installer v2.3.2@fd2089d1f56724d6456f24d58605e6964deae124
  • magefile/mage-action v2@a3d5bb52942181c125118a2be4b4664c3337aef6
  • docker/login-action v2@465a07811f14bebb1938fbed4728c6a1ff8901fc
  • docker/login-action v2@465a07811f14bebb1938fbed4728c6a1ff8901fc
  • magefile/mage-action v2@a3d5bb52942181c125118a2be4b4664c3337aef6
.github/workflows/scan.yml
  • actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
  • aquaproj/aqua-installer v2.3.2@fd2089d1f56724d6456f24d58605e6964deae124
  • actions/cache v3@e12d46a63a90f2fae62d114769bbf2a179198b5c
  • elgohr/go-vulncheck-action e73217f293105d5418d631c4d308eb0c27943f1d
  • actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
  • github/codeql-action v2@e113c555ef0956479345cfc3ed530c938d670db0
  • github/codeql-action v2@e113c555ef0956479345cfc3ed530c938d670db0
  • github/codeql-action v2@e113c555ef0956479345cfc3ed530c938d670db0
.github/workflows/stale.yaml
  • delineaxpm/github-workflows main
.github/workflows/test.yml
  • actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
  • aquaproj/aqua-installer v2.3.2@fd2089d1f56724d6456f24d58605e6964deae124
  • actions/cache v3@e12d46a63a90f2fae62d114769bbf2a179198b5c
  • codecov/codecov-action v3.1.6@ab904c41d6ece82784817410c45d8b8c02684457
gomod
go.mod
  • go 1.22.0
  • github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.2
  • github.com/bitfield/script v0.22.1
  • github.com/brianvoe/gofakeit/v6 v6.28.0
  • github.com/caarlos0/env/v6 v6.10.1
  • github.com/magefile/mage v1.15.0
  • github.com/mattbaird/jsonpatch v0.0.0-20240118010651-0ba75a80ca38@0ba75a80ca38
  • github.com/pterm/pterm v0.12.79
  • github.com/rs/zerolog v1.33.0
  • github.com/sheldonhull/magetools v1.0.2
  • k8s.io/api v0.30.3
  • k8s.io/apimachinery v0.30.3
  • k8s.io/client-go v0.30.3
  • github.com/imdario/mergo v0.3.16
helm-values
charts/dsv-injector/values.yaml
charts/dsv-syncer/values.yaml
regex
.aqua/aqua.yaml
  • aquaproj/aqua-registry v4.212.0
  • miniscruff/changie v1.19.1
  • golang/go go1.22.6
  • direnv/direnv v2.34.0
  • magefile/mage v1.15.0
  • charmbracelet/glow v1.5.1
  • goreleaser/goreleaser v2.1.0
  • mvdan/gofumpt v0.6.0
  • anchore/syft v1.11.0
  • norwoodj/helm-docs v1.14.2
  • gotestyourself/gotestsum v1.12.0
  • c-bata/kube-prompt v1.0.11
  • kubernetes-sigs/kind v0.23.0
  • helm/helm v3.15.3
  • kubernetes/minikube v1.33.1
  • stern/stern v1.30.0
  • tilt-dev/tilt v0.33.19
  • golangci/golangci-lint v1.59.1
  • DelineaXPM/dsv-cli v1.41.1
  • gitleaks/gitleaks v8.18.4
  • charmbracelet/gum v0.14.3
.aqua/aqua.yaml
  • aquaproj/aqua-registry v4.212.0
  • miniscruff/changie v1.19.1
  • golang/go go1.22.6
  • direnv/direnv v2.34.0
  • magefile/mage v1.15.0
  • charmbracelet/glow v1.5.1
  • goreleaser/goreleaser v2.1.0
  • mvdan/gofumpt v0.6.0
  • anchore/syft v1.11.0
  • norwoodj/helm-docs v1.14.2
  • gotestyourself/gotestsum v1.12.0
  • c-bata/kube-prompt v1.0.11
  • kubernetes-sigs/kind v0.23.0
  • helm/helm v3.15.3
  • kubernetes/minikube v1.33.1
  • stern/stern v1.30.0
  • tilt-dev/tilt v0.33.19
  • golangci/golangci-lint v1.59.1
  • DelineaXPM/dsv-cli v1.41.1
  • gitleaks/gitleaks v8.18.4
  • charmbracelet/gum v0.14.3
.github/workflows/release.yml
  • aquaproj/aqua v2.28.0
.github/workflows/scan.yml
  • aquaproj/aqua v2.28.0
.github/workflows/test.yml
  • aquaproj/aqua v2.28.0
.aqua/aqua.yaml
  • golang/go 1.22.6
  • Check this box to trigger a request for Renovate to run again on this repository

RedHat Quay image is broken

Description of the issue

The Red Hat Quay image is broken and so is the build badge.

Expected behaviour

Installing the helm chart and using the injector and syncer should work.

Actual behavior

They don't because the injector in the current image in Quay is broken.

Your environment

Affects all users

Steps to reproduce

Install the chart and test the injector

URL Update

Description of the issue

Can this URL be updated (https://gist.github.com/amigus/b4e6e642f88e756be1996e44a1c35349) to use a different resource.

Steps to reproduce

ℹ️ All this assumes that the injector uses a certificate signed by the cluster CA. There are several options like [cert-manager](https://cert-manager.io/) for getting cluster-signed certs, however, this simple [bash script](https://gist.github.com/amigus/b4e6e642f88e756be1996e44a1c35349) will request and grant a suitable certificate from the cluster using cURL and OpenSSL.

Latest chart version image with problem

Environment

  • Minikube v1.25.2 on Arch 22.0.0 (Tested with Docker and Virtualbox Driver)

Problem

image

After updating the image repository to docker, installing chart has this problem. The version with the old repository (quay.io) works fine.

I think the image is the problem.

Other related issue

image

We also use another way of using Delinea, related to kuberentes (Sidecar), the image was updated some time ago and changed from amd64 to arm64, can you fix that?

Before this update the latest version was amd64 and worked relatively well.

Password hard-coded in Example in Readme

Description of the issue

Password hard-coded in Example in Readme

Expected behavior

Credential should be fetched from secure vault or other secure method

Actual behavior

Cred is hard coded.

Steps to reproduce

image

Invalid Memory Address (thycotic/dsv-k8s-controller)

Hello guys!

Guys, we use your integration for kubernetes (sidecar) which is in the repository https://hub.docker.com/r/thycotic/dsv-k8s-controller (https://docs.thycotic.com/dsv/current/usage/integrations/kubernetes/kubernetes-sidecar/broker.md), some time ago we reported a problem that the broker restarted from time to time, it was updated on dockerhub with the solution, but with an arm64 version, now it's updated to amd64 again, but the restart problem is back, follow the error log, you can do it Help us?

time="2023-01-30T18:57:34Z" level=error msg="Error getting pod" error=EOF
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x8d0fc5]

goroutine 30 [running]:
container-go/pkg/pods.NewPodRegistry.func1({0x7ffeca2a40bf, 0xd}, 0xc000237550, 0x0?, 0x0?, 0x0?)
	/go/src/container-go/pkg/pods/registry.go:63 +0x105
created by container-go/pkg/pods.NewPodRegistry
	/go/src/container-go/pkg/pods/registry.go:55 +0x36a

Another thing we wanted was the availability of this code on Github so that it would be easier for us to report problems and/or solutions.

Thanks!

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Configuration option 'packageRules[0].group' should be a json object, Configuration option 'packageRules[1].group' should be a json object

github.com/mittwald/go-helm-client-v0.11.3: 14 vulnerabilities (highest severity is: 9.1)

Vulnerable Library - github.com/mittwald/go-helm-client-v0.11.3

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2016-9121 High 9.1 github.com/docker/distribution-v2.8.1 Transitive N/A
CVE-2021-3121 High 8.6 github.com/docker/cli-v20.10.17 Transitive N/A
CVE-2016-9122 High 7.5 github.com/docker/distribution-v2.8.1 Transitive N/A
CVE-2022-21698 High 7.5 detected in multiple dependencies Transitive N/A
WS-2021-0200 High 7.5 github.com/docker/distribution-v2.8.1 Transitive N/A
CVE-2020-29652 High 7.5 github.com/docker/cli-v20.10.17 Transitive N/A
CVE-2016-9123 High 7.5 github.com/docker/distribution-v2.8.1 Transitive N/A
CVE-2022-27191 High 7.5 github.com/docker/cli-v20.10.17 Transitive N/A
CVE-2021-44716 High 7.5 detected in multiple dependencies Transitive N/A
CVE-2021-43565 High 7.5 github.com/docker/cli-v20.10.17 Transitive N/A
CVE-2020-8559 Medium 6.8 github.com/docker/cli-v20.10.17 Transitive N/A
CVE-2019-11254 Medium 6.5 github.com/docker/distribution-v2.8.1 Transitive N/A
CVE-2021-31525 Medium 5.9 github.com/docker/cli-v20.10.17 Transitive N/A
CVE-2020-8565 Medium 5.5 github.com/docker/cli-v20.10.17 Transitive N/A

Details

CVE-2016-9121

Vulnerable Library - github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.

Publish Date: 2017-03-28

URL: CVE-2016-9121

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9121

Release Date: 2017-03-28

Fix Resolution: 1.0.4

CVE-2021-3121

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

Publish Date: 2021-01-11

URL: CVE-2021-3121

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Release Date: 2021-01-11

Fix Resolution: v1.3.2

CVE-2016-9122

Vulnerable Library - github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Publish Date: 2017-03-28

URL: CVE-2016-9122

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0011

Release Date: 2017-03-28

Fix Resolution: v1.1.0

CVE-2022-21698

Vulnerable Libraries - github.com/docker/distribution-v2.8.1, github.com/docker/cli-v20.10.17

github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

WS-2021-0200

Vulnerable Library - github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

Yaml in versions v2.2.0 to v2.2.2 is vulnerable to denial of service vector.
Related to decode.go

Publish Date: 2021-04-14

URL: WS-2021-0200

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0061

Release Date: 2021-04-14

Fix Resolution: v2.2.3

CVE-2020-29652

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Publish Date: 2020-12-17

URL: CVE-2020-29652

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1

Release Date: 2020-12-17

Fix Resolution: v0.0.0-20201216223049-8b5274cf687f

CVE-2016-9123

Vulnerable Library - github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.

Publish Date: 2017-03-28

URL: CVE-2016-9123

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0009

Release Date: 2017-03-28

Fix Resolution: v1.0.5

CVE-2022-27191

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Publish Date: 2022-03-18

URL: CVE-2022-27191

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191

Release Date: 2022-03-18

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1

CVE-2021-44716

Vulnerable Libraries - github.com/docker/cli-v20.10.17, github.com/docker/distribution-v2.8.1

github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

CVE-2021-43565

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

Publish Date: 2021-11-10

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565

Release Date: 2021-11-10

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1

CVE-2020-8559

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Publish Date: 2020-07-22

URL: CVE-2020-8559

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-08-10

Fix Resolution: v1.18.6,v1.17.9,v1.16.13

CVE-2019-11254

Vulnerable Library - github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-02

Fix Resolution: v2.2.8

CVE-2021-31525

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

CVE-2020-8565

Vulnerable Library - github.com/docker/cli-v20.10.17

The Docker CLI

Dependency Hierarchy:

  • github.com/mittwald/go-helm-client-v0.11.3 (Root Library)
    • helm.sh/helm/v3-v3.9.1
      • oras.land/oras-go-v1.2.0
        • github.com/docker/cli-v20.10.17 (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

Publish Date: 2020-12-07

URL: CVE-2020-8565

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0064

Release Date: 2020-12-07

Fix Resolution: v1.20.0-alpha.2

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

Renovate tried to run on this repository, but found these problems.

  • WARN: Unable to read vulnerability information

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

  • chore(deps): pin dependencies (actions/cache, actions/checkout, aquaproj/aqua-installer, codecov/codecov-action, docker/login-action, elgohr/go-vulncheck-action, github/codeql-action, magefile/mage-action, magnetikonline/action-golang-cache)
  • chore(deps): update gomod (github.com/mattbaird/jsonpatch, github.com/pterm/pterm, k8s.io/api, k8s.io/apimachinery, k8s.io/client-go)
  • chore(deps): update dependency node to v17.9.1
  • chore(deps): update dependency node to v20
  • chore(deps): update github-actions (major) (actions/cache, actions/checkout, docker/login-action, github/codeql-action, magefile/mage-action, magnetikonline/action-golang-cache)
  • chore(deps): update ⬆️ gomod github.com/caarlos0/env/v6 to v10
  • chore(deps): update ⬆️ regex matched resources to v2
  • chore(deps): update ⬆️ aqua-packages (DelineaXPM/dsv-cli, anchore/syft, aquaproj/aqua-registry, helm/helm, miniscruff/changie)
  • 🔐 Create all pending approval PRs at once 🔐

Detected dependencies

asdf
.tool-versions
  • node 17.3.0
dockerfile
.devcontainer/Dockerfile
Dockerfile
docker/Dockerfile.chainguard
docker/Dockerfile.distroless
github-actions
.github/workflows/assign.yml
.github/workflows/conventional-pr.yml
.github/workflows/github.yml
  • actions/checkout v3
  • magnetikonline/action-golang-cache v3
.github/workflows/lint.yml
.github/workflows/release.yml
  • actions/checkout v3
  • magnetikonline/action-golang-cache v3@797f193169d3c8ba6f60d90f50ecdadd2583fbd8
  • aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
  • magefile/mage-action v2@3b833fb24c0d19eed3aa760b9eb285b4b84f420f
  • docker/login-action v2
  • docker/login-action v2
  • magefile/mage-action v2@3b833fb24c0d19eed3aa760b9eb285b4b84f420f
.github/workflows/scan.yml
  • actions/checkout v3
  • aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
  • actions/cache v3
  • elgohr/go-vulncheck-action 90e331d6e77587505906ef175d4b44a1d2cb6a63
  • actions/checkout v3
  • github/codeql-action v2
  • github/codeql-action v2
  • github/codeql-action v2
.github/workflows/stale.yaml
.github/workflows/test.yml
  • actions/checkout v3
  • aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
  • actions/cache v3
  • codecov/codecov-action v3.1.1@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
gomod
go.mod
  • go 1.21
  • github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0
  • github.com/bitfield/script v0.22.0
  • github.com/caarlos0/env/v6 v6.10.1
  • github.com/magefile/mage v1.15.0
  • github.com/mattbaird/jsonpatch v0.0.0-20230413205102-771768614e91@771768614e91
  • github.com/pterm/pterm v0.12.74
  • github.com/rs/zerolog v1.31.0
  • github.com/sheldonhull/magetools v1.0.1
  • k8s.io/api v0.29.0
  • k8s.io/apimachinery v0.29.0
  • k8s.io/client-go v0.29.0
helm-values
charts/dsv-injector/values.yaml
  • docker.io/delineaxpm/dsv-k8s v1.2.2
charts/dsv-syncer/values.yaml
  • docker.io/delineaxpm/dsv-k8s v1.2.2
regex
.aqua/aqua.yaml
  • aquaproj/aqua-registry v4.118.0
  • miniscruff/changie v1.17.0
  • golang/go go1.21.6
  • direnv/direnv v2.33.0
  • magefile/mage v1.15.0
  • charmbracelet/glow v1.5.1
  • goreleaser/goreleaser v1.23.0
  • mvdan/gofumpt v0.5.0
  • anchore/syft v0.100.0
  • norwoodj/helm-docs v1.12.0
  • gotestyourself/gotestsum v1.11.0
  • c-bata/kube-prompt v1.0.11
  • kubernetes-sigs/kind v0.20.0
  • helm/helm v3.13.3
  • kubernetes/minikube v1.32.0
  • stern/stern v1.28.0
  • tilt-dev/tilt v0.33.10
  • golangci/golangci-lint v1.55.2
  • DelineaXPM/dsv-cli v1.40.5
  • gitleaks/gitleaks v8.18.1
.aqua/aqua.yaml
  • aquaproj/aqua-registry v4.118.0
  • miniscruff/changie v1.17.0
  • golang/go go1.21.6
  • direnv/direnv v2.33.0
  • magefile/mage v1.15.0
  • charmbracelet/glow v1.5.1
  • goreleaser/goreleaser v1.23.0
  • mvdan/gofumpt v0.5.0
  • anchore/syft v0.100.0
  • norwoodj/helm-docs v1.12.0
  • gotestyourself/gotestsum v1.11.0
  • c-bata/kube-prompt v1.0.11
  • kubernetes-sigs/kind v0.20.0
  • helm/helm v3.13.3
  • kubernetes/minikube v1.32.0
  • stern/stern v1.28.0
  • tilt-dev/tilt v0.33.10
  • golangci/golangci-lint v1.55.2
  • DelineaXPM/dsv-cli v1.40.5
  • gitleaks/gitleaks v8.18.1
.github/workflows/release.yml
  • aquaproj/aqua v1.38.0
.github/workflows/scan.yml
  • aquaproj/aqua v1.38.0
.github/workflows/test.yml
  • aquaproj/aqua v1.38.0
.aqua/aqua.yaml
  • golang/go 1.21.6

genSignedCert should check for expiration of cert in next n days and ensure new self signed cert is provisioned if this happens

current behavior

  • genSignedCert in charts/dsv-injector/templates/webhook.yaml generates a cert if the user doesn't provide their own.
  • If the releasename-tls is found, it defaults to this.

So the basics of current behavior

{{- $tlsCert := genSelfSignedCert (include "dsv.dnsname" .) nil (list (include "dsv.dnsname" .) (include "dsv.name" .)) (default 365 .Values.webhookCertExpireDays | int) -}}
{{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}

  • $tlsCert == self signed cert always generated on run (it's a helm function)

  • $tlsSecret is a lookup to find the "CurrentReleaseName-tls".

  • The clientConfig: value for the webhook:

    clientConfig:
{{- if eq .Values.service.type "ExternalName" }}
      caBundle: {{ .Values.caBundle }}
{{- else if $tlsSecret }}
      caBundle: {{ $tlsSecret.data.cert }}
{{- else }}
      caBundle: {{ $tlsCert.Cert | b64enc }}

Logic explained:

  • eq .Values.service.type "ExternalName" is set, then this takes precedence (for when service is running external to kubernetes). The default in charts/dsv-injector/values.yaml is set to type: ClusterIP. This means unless this is changed, the default behavior will fall through to checking if existing cert found in namespace for this release (aka someone installed their own cert before.
  • caBundle is not set by default, but could be passed in with the helm install command if desired the caBundle must be a base64 string containing a PEM-encoded certificate chain that validates the certificate per charts/dsv-injector/values.yaml.
  • Else if existing $tlsSecret that was looked up is found, then it uses this. That doesn't check if it's valid or not, so it will just reuse what's there.
  • else if no existing cert (meaning fresh install/or expired cert was deleted) then it uses the self signed cert from helm function genSelfSignedCert.
  • The logic expects caBundle to only be used when designating an external service.

improvement to behavior

  • The check against {{- else if $tlsSecret }} should check if exists, but also check that the tls secret cert expiration <= in days from recreateSelfSignedCertThreshold.
  • recreateSelfSignedCertThreshold will default in helm values to 90 days.
  • webhookCertExpireDays should be exposed in the values.yaml with default of 365, rather than default set in the webhook.yaml so it's more visible
  • This same check should be on the secret, which creates the cert files separated in: charts/dsv-injector/templates/webhook.yaml. This should be modified to also have the same check for expiration.
data:
{{- if $tlsSecret }}
  cert.pem: {{ $tlsSecret.data.cert }}
  key.pem: {{ $tlsSecret.data.key }}
{{- else }}
  cert.pem: {{ $tlsCert.Cert | b64enc }}
  key.pem: {{ $tlsCert.Key | b64enc }}
{{- end }}

Looking Into

  • should this be gated behind a SelfSignedCertRegeneration to avoid impact to custom provided cert. ANSWER: The logic expects caBundle to only be used when designating an external service. Otherwise genSelfSignedCert is what's used.
  • we load custom provided cert via config map with DSV_CERT I believe. Validate if this impacts anything here, since it's not exposed as a helm input for this process currently, but expected to be done on app loading. ANSWERED below.

How this Relates to the DSV_CERT and loading in injector

  • cmd/injector/main.go caused some confusion initially as a container wouldn't have knowledge of "${HOME}". I backtracked this though and recall now why this is set.

So yes it was always finding it (else it would error as fatal/termination of Run.
But nothing was checking the expiration of the cert.

related to AB#590946

Request for Documentation: Add company specific Root CA's

Problem
Connection to Secret Server fails because of missing trusted Root CA:

2023/08/29 07:11:56 [DEBUG] grant response error:Post "https://swwpam.ch/SecretServer/.secretsvaultcloud.com/v1/token": tls: failed to verify certificate: x509: certificate signed by unknown authority

I guess I can set the company Root CA's over the optional ConfigMap section in values.yaml:

configmap:
DSV_CERT:
DSV_KEY:
DSV_CREDENTIALS_JSON:
DSV_SERVER_ADDRESS:
DSV_DEBUG: 'true'

But I miss some documentation here. Maybe an example.

Thank you in advance for some hints or feedback regarding this topic.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.