From b1a0f38d665a5daa1771ba3eb46750c8927e0828 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 19 Feb 2025 12:49:31 +0100 Subject: [PATCH 1/5] feat: fix output format for external_docker_image_matrix script --- .github/bin/external_docker_image_matrix | 9 +++++++++ .github/workflows/scheduled-snyk-docker.yaml | 3 +++ charts/radar-gateway/Chart.yaml | 2 +- charts/radar-gateway/README.md | 4 ++-- charts/radar-gateway/values.yaml | 2 +- charts/radar-push-endpoint/Chart.yaml | 2 +- charts/radar-push-endpoint/README.md | 8 +++++++- .../templates/_helpers.tpl | 6 ++++++ .../templates/deployment.yaml | 4 ++-- charts/radar-push-endpoint/values.yaml | 20 +++++++++++++++++++ external/grafana/Chart.yaml | 2 +- 11 files changed, 53 insertions(+), 9 deletions(-) diff --git a/.github/bin/external_docker_image_matrix b/.github/bin/external_docker_image_matrix index a72a88c4..e234b3e2 100755 --- a/.github/bin/external_docker_image_matrix +++ b/.github/bin/external_docker_image_matrix @@ -29,6 +29,15 @@ cat images.tmp1 | grep ".*\/.*\/.*" > images.tmp2 cat images.tmp1 | grep -v ".*\/.*\/.*" | sed "s/^/docker.io\//g" > images.tmp3 cat images.tmp2 images.tmp3 | sort | uniq > images.txt +# Exclude images refs that match any of the patterns passed in with the EXCLUDE_IMAGES environment variable. +if [ -n "$EXCLUDE_IMAGES" ]; then + for pattern in $EXCLUDE_IMAGES + do + grep -v $pattern images.txt > images.tmp + mv images.tmp images.txt + done +fi + # Generate the JSON array echo "{ \"include\": [" > $output_file while IFS= read -r line; do diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml index 24de6cd1..1bed11e7 100644 --- a/.github/workflows/scheduled-snyk-docker.yaml +++ b/.github/workflows/scheduled-snyk-docker.yaml @@ -27,6 +27,9 @@ jobs: - id: set-matrix name: Generate image matrix of current master branch + env: + # Any image that matches any of these patterns will be ignored for scanning. + EXCLUDE_PATTERNS: mockserver bats busybox working-directory: .github/bin run: ./external_docker_image_matrix diff --git a/charts/radar-gateway/Chart.yaml b/charts/radar-gateway/Chart.yaml index e17b236e..4ad79cb8 100644 --- a/charts/radar-gateway/Chart.yaml +++ b/charts/radar-gateway/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "0.8.0" description: A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming participant data. It performs authentication, authorization, content validation and decompression. For more details of the configurations, see https://github.com/RADAR-base/RADAR-Gateway/blob/master/gateway.yml. name: radar-gateway -version: 1.4.3 +version: 1.4.4 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-gateway diff --git a/charts/radar-gateway/README.md b/charts/radar-gateway/README.md index 046eedea..da0bd54a 100644 --- a/charts/radar-gateway/README.md +++ b/charts/radar-gateway/README.md @@ -3,7 +3,7 @@ # radar-gateway [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-gateway)](https://artifacthub.io/packages/helm/radar-base/radar-gateway) -![Version: 1.4.3](https://img.shields.io/badge/Version-1.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square) +![Version: 1.4.4](https://img.shields.io/badge/Version-1.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square) A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming participant data. It performs authentication, authorization, content validation and decompression. For more details of the configurations, see https://github.com/RADAR-base/RADAR-Gateway/blob/master/gateway.yml. @@ -46,7 +46,7 @@ A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming partici | image_exporter.registry | string | `"docker.io"` | Image registry | | image_exporter.repository | string | `"sscaling/jmx-prometheus-exporter"` | Image repository | | image_exporter.tag | string | `nil` | Image tag (immutable tags are recommended) Overrides the image tag whose default is the chart appVersion. | -| image_exporter.digest | string | `"48e3bd31f132"` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | +| image_exporter.digest | string | `"sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d"` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | | image_exporter.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image_exporter.pullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. e.g: pullSecrets: - myRegistryKeySecretName | | nameOverride | string | `""` | String to partially override radar-gateway.fullname template with a string (will prepend the release name) | diff --git a/charts/radar-gateway/values.yaml b/charts/radar-gateway/values.yaml index 95bfc678..07eb4139 100644 --- a/charts/radar-gateway/values.yaml +++ b/charts/radar-gateway/values.yaml @@ -34,7 +34,7 @@ image_exporter: # Overrides the image tag whose default is the chart appVersion. tag: # -- Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - digest: "48e3bd31f132" + digest: "sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d" # -- Image pull policy pullPolicy: IfNotPresent # -- Optionally specify an array of imagePullSecrets. diff --git a/charts/radar-push-endpoint/Chart.yaml b/charts/radar-push-endpoint/Chart.yaml index 4701c5e9..d06d9339 100644 --- a/charts/radar-push-endpoint/Chart.yaml +++ b/charts/radar-push-endpoint/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "0.3.2" description: A Helm chart for RADAR-base Push Endpoint. REST Gateway to Kafka, for incoming data from Push or Subscription based WEB APIs. It performs authentication, authorization and content validation. For more details of the configurations, see https://github.com/RADAR-base/RADAR-PushEndpoint. name: radar-push-endpoint -version: 0.4.1 +version: 0.4.2 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-push-endpoint diff --git a/charts/radar-push-endpoint/README.md b/charts/radar-push-endpoint/README.md index 89ad2c6f..fdf08aa1 100644 --- a/charts/radar-push-endpoint/README.md +++ b/charts/radar-push-endpoint/README.md @@ -3,7 +3,7 @@ # radar-push-endpoint [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-push-endpoint)](https://artifacthub.io/packages/helm/radar-base/radar-push-endpoint) -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.2](https://img.shields.io/badge/AppVersion-0.3.2-informational?style=flat-square) +![Version: 0.4.2](https://img.shields.io/badge/Version-0.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.2](https://img.shields.io/badge/AppVersion-0.3.2-informational?style=flat-square) A Helm chart for RADAR-base Push Endpoint. REST Gateway to Kafka, for incoming data from Push or Subscription based WEB APIs. It performs authentication, authorization and content validation. For more details of the configurations, see https://github.com/RADAR-base/RADAR-PushEndpoint. @@ -43,6 +43,12 @@ A Helm chart for RADAR-base Push Endpoint. REST Gateway to Kafka, for incoming d | image.digest | string | `""` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.pullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. e.g: pullSecrets: - myRegistryKeySecretName | +| image_exporter.registry | string | `"docker.io"` | Image registry | +| image_exporter.repository | string | `"sscaling/jmx-prometheus-exporter"` | Image repository | +| image_exporter.tag | string | `nil` | Image tag (immutable tags are recommended) Overrides the image tag whose default is the chart appVersion. | +| image_exporter.digest | string | `"sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d"` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | +| image_exporter.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| image_exporter.pullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. e.g: pullSecrets: - myRegistryKeySecretName | | nameOverride | string | `""` | String to partially override radar-push-endpoint.fullname template with a string (will prepend the release name) | | fullnameOverride | string | `""` | String to fully override radar-push-endpoint.fullname template with a string | | podSecurityContext | object | `{}` | Configure radar-push-endpoint pods' Security Context | diff --git a/charts/radar-push-endpoint/templates/_helpers.tpl b/charts/radar-push-endpoint/templates/_helpers.tpl index e824dc7d..35f93a3d 100644 --- a/charts/radar-push-endpoint/templates/_helpers.tpl +++ b/charts/radar-push-endpoint/templates/_helpers.tpl @@ -13,6 +13,12 @@ Return the proper image name {{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global "chart" .Chart ) }} {{- end -}} +Return the proper exporter image name +*/}} +{{- define "radar-gateway.image-exporter" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image_exporter "global" .Values.global "chart" .Chart ) }} +{{- end -}} + {{/* Return the proper Docker Image Registry Secret Names */}} diff --git a/charts/radar-push-endpoint/templates/deployment.yaml b/charts/radar-push-endpoint/templates/deployment.yaml index 78e623dd..caffd3fc 100644 --- a/charts/radar-push-endpoint/templates/deployment.yaml +++ b/charts/radar-push-endpoint/templates/deployment.yaml @@ -43,10 +43,10 @@ spec: topologyKey: "kubernetes.io/hostname" containers: {{- if .Values.serviceMonitor.enabled }} - - image: sscaling/jmx-prometheus-exporter + - image: {{ template "radar-gateway.image-exporter" . }} + imagePullPolicy: {{ .Values.image_exporter.pullPolicy | quote }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - imagePullPolicy: IfNotPresent name: prometheus-jmx-exporter env: - name: "CONFIG_YML" diff --git a/charts/radar-push-endpoint/values.yaml b/charts/radar-push-endpoint/values.yaml index 99fe5eed..2d7d09cd 100644 --- a/charts/radar-push-endpoint/values.yaml +++ b/charts/radar-push-endpoint/values.yaml @@ -25,6 +25,26 @@ image: # pullSecrets: [] +image_exporter: + # -- Image registry + registry: docker.io + # -- Image repository + repository: sscaling/jmx-prometheus-exporter + # -- Image tag (immutable tags are recommended) + # Overrides the image tag whose default is the chart appVersion. + tag: + # -- Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + digest: "sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d" + # -- Image pull policy + pullPolicy: IfNotPresent + # -- Optionally specify an array of imagePullSecrets. + # Secrets must be manually created in the namespace. + # e.g: + # pullSecrets: + # - myRegistryKeySecretName + # + pullSecrets: [] + # -- String to partially override radar-push-endpoint.fullname template with a string (will prepend the release name) nameOverride: "" # -- String to fully override radar-push-endpoint.fullname template with a string diff --git a/external/grafana/Chart.yaml b/external/grafana/Chart.yaml index 3e7f2fd1..b6abe325 100644 --- a/external/grafana/Chart.yaml +++ b/external/grafana/Chart.yaml @@ -6,7 +6,7 @@ annotations: - name: Upstream Project url: https://github.com/grafana/grafana apiVersion: v2 -appVersion: 11.1.0 +appVersion: 11.2.2-security-01 description: The leading tool for querying and visualizing time series and metrics. home: https://grafana.com icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116 From b117ff115ad333a933cc2fa9951d40f317cef0bd Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 19 Feb 2025 15:05:57 +0100 Subject: [PATCH 2/5] feat: add elasticsearch vulnerabilities to ignore list --- .snyk | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/.snyk b/.snyk index a0bedc42..fa9c4e2b 100644 --- a/.snyk +++ b/.snyk @@ -1,6 +1,33 @@ # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. -version: v1.25.0 +version: v1.25.1 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: + SNYK-UBUNTU2004-OPENSSL-2426343: + - '*': + reason: >- + We will not update the elasticsearch version because other other + activities take priority (by Keyvan). + expires: 2025-06-01T00:00:00.000Z + created: 2025-02-19T13:31:54.411Z + SNYK-UBUNTU2004-OPENSSL-3314788: + - '*': + reason: >- + We will not update the elasticsearch version because other other + activities take priority (by Keyvan). + expires: 2025-06-01T00:00:00.000Z + created: 2025-02-19T13:31:57.376Z + SNYK-UBUNTU2004-NGHTTP2-5954795: + - '*': + reason: >- + We will not update the elasticsearch version because other other + activities take priority (by Keyvan). + expires: 2025-06-01T00:00:00.000Z + created: 2025-02-19T13:32:00.023Z + SNYK-UBUNTU2004-CYRUSSASL2-2408941: + - '*': + reason: >- + We will not update the elasticsearch version because other other + activities take priority (by Keyvan). + expires: 2025-06-01T00:00:00.000Z + created: 2025-02-19T13:32:02.710Z patch: {} -exclude: From 10db2f57306096b1ef35b97a58891864e85e29d7 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 19 Feb 2025 15:11:28 +0100 Subject: [PATCH 3/5] fix: exclude images via EXCLUDE_PATTERNS var --- .github/bin/external_docker_image_matrix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/bin/external_docker_image_matrix b/.github/bin/external_docker_image_matrix index e234b3e2..ddc51460 100755 --- a/.github/bin/external_docker_image_matrix +++ b/.github/bin/external_docker_image_matrix @@ -29,9 +29,9 @@ cat images.tmp1 | grep ".*\/.*\/.*" > images.tmp2 cat images.tmp1 | grep -v ".*\/.*\/.*" | sed "s/^/docker.io\//g" > images.tmp3 cat images.tmp2 images.tmp3 | sort | uniq > images.txt -# Exclude images refs that match any of the patterns passed in with the EXCLUDE_IMAGES environment variable. -if [ -n "$EXCLUDE_IMAGES" ]; then - for pattern in $EXCLUDE_IMAGES +# Exclude images refs that match any of the patterns passed in with the EXCLUDE_PATTERNS environment variable. +if [ -n "$EXCLUDE_PATTERNS" ]; then + for pattern in $EXCLUDE_PATTERNS do grep -v $pattern images.txt > images.tmp mv images.tmp images.txt From 1908e5a776e3eb7af96749be0c1b05960f4f62ba Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 19 Feb 2025 15:27:41 +0100 Subject: [PATCH 4/5] fix: check of old commits with commitizen --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 208f329f..4bfb92f0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -88,6 +88,6 @@ repos: rev: v4.1.0 hooks: - id: commitizen - - id: commitizen-branch - stages: [pre-push] - args: [--rev-range, 212b99ff174eaaa16895299d64317ab40bce200d..HEAD] +# - id: commitizen-branch +# stages: [pre-push] +# args: [--rev-range, HEAD^1..HEAD] From e69ae7e39f0e69756c235b9f12c4cce8edae3fa1 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 19 Feb 2025 16:46:32 +0100 Subject: [PATCH 5/5] fix: name of template function for radar-push-endpoint --- charts/radar-push-endpoint/templates/_helpers.tpl | 2 +- charts/radar-push-endpoint/templates/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/radar-push-endpoint/templates/_helpers.tpl b/charts/radar-push-endpoint/templates/_helpers.tpl index 35f93a3d..f9daa6cb 100644 --- a/charts/radar-push-endpoint/templates/_helpers.tpl +++ b/charts/radar-push-endpoint/templates/_helpers.tpl @@ -15,7 +15,7 @@ Return the proper image name Return the proper exporter image name */}} -{{- define "radar-gateway.image-exporter" -}} +{{- define "radar-push-endpoint.image-exporter" -}} {{ include "common.images.image" (dict "imageRoot" .Values.image_exporter "global" .Values.global "chart" .Chart ) }} {{- end -}} diff --git a/charts/radar-push-endpoint/templates/deployment.yaml b/charts/radar-push-endpoint/templates/deployment.yaml index caffd3fc..fd211e1f 100644 --- a/charts/radar-push-endpoint/templates/deployment.yaml +++ b/charts/radar-push-endpoint/templates/deployment.yaml @@ -43,7 +43,7 @@ spec: topologyKey: "kubernetes.io/hostname" containers: {{- if .Values.serviceMonitor.enabled }} - - image: {{ template "radar-gateway.image-exporter" . }} + - image: {{ template "radar-push-endpoint.image-exporter" . }} imagePullPolicy: {{ .Values.image_exporter.pullPolicy | quote }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }}