Merge pull request #437 from fluxcd/release-v0.17.2

hiddeco · web-flow · commit 5fe66f417c4c · 2022-03-15T13:57:21.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,28 @@
 # Changelog
 
+## 0.17.2
+
+**Release date:** 2022-03-15
+
+This prerelease comes with an update for `github.com/containerd/containerd` to
+`v1.5.10` to please static security analysers and fix any warnings for
+CVE-2022-23648.
+
+In addition, it updates Helm from a forked and patched `v3.8.0`, to the
+official `v3.8.1` release, and updates minor dependencies.
+
+The Deployment manifest contains a patch to set the
+`.spec.securityContext.fsGroup`, which may be required for some EKS setups
+as reported in https://github.com/fluxcd/flux2/issues/2537.
+
+Improvements:
+- Update Helm to v3.8.1
+  [#434](https://github.com/fluxcd/helm-controller/pull/434)
+- add fsgroup for securityContext
+  [#435](https://github.com/fluxcd/helm-controller/pull/435)
+- Update containerd to v1.5.10 and tidy go.mod
+  [#436](https://github.com/fluxcd/helm-controller/pull/436)
+
 ## 0.17.1
 
 **Release date:** 2022-02-22
diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml
@@ -18,6 +18,10 @@ spec:
         prometheus.io/port: "8080"
     spec:
       terminationGracePeriodSeconds: 600
+      securityContext:
+        # Required for AWS IAM Role bindings
+        # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
+        fsGroup: 1337
       containers:
       - name: manager
         image: fluxcd/helm-controller
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/helm-controller
     newName: fluxcd/helm-controller
-    newTag: v0.17.1
+    newTag: v0.17.2
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.17
 replace github.com/fluxcd/helm-controller/api => ./api
 
 require (
-	github.com/fluxcd/helm-controller/api v0.17.1
+	github.com/fluxcd/helm-controller/api v0.17.2
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.1
 	github.com/fluxcd/pkg/apis/meta v0.10.2
@@ -16,26 +16,32 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.17.0
 	github.com/spf13/pflag v1.0.5
-	github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect
-	github.com/yvasiyarov/gorelic v0.0.7 // indirect
-	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	helm.sh/helm/v3 v3.8.0
-	k8s.io/api v0.23.1
-	k8s.io/apiextensions-apiserver v0.23.1
-	k8s.io/apimachinery v0.23.1
-	k8s.io/cli-runtime v0.23.1
-	k8s.io/client-go v0.23.1
+	helm.sh/helm/v3 v3.8.1
+	k8s.io/api v0.23.4
+	k8s.io/apiextensions-apiserver v0.23.4
+	k8s.io/apimachinery v0.23.4
+	k8s.io/cli-runtime v0.23.4
+	k8s.io/client-go v0.23.4
 	sigs.k8s.io/controller-runtime v0.11.0
 	sigs.k8s.io/kustomize/api v0.10.1
 	sigs.k8s.io/yaml v1.3.0
 )
 
-// Temporary fork of Helm v3.8.0 with patch applied from
-// https://github.com/helm/helm/pull/10486 to solve memory leak and issues as
-// described in https://github.com/fluxcd/helm-controller/issues/351.
-// TODO: Remove once Helm v3.8.1 is released.
-replace helm.sh/helm/v3 v3.8.0 => github.com/hiddeco/helm/v3 v3.0.0-20220128105410-34ef0a7a5811
+// Pin kustomize to v4.4.1
+replace (
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0
+)
+
+// Fix CVE-2021-30465
+// Fix CVE-2021-43784
+// Fix GO-2021-0085
+// Fix GO-2021-0087
+replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
+
+// Fix CVE-2021-43816
+// Fix CVE-2022-23648
+replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.10
 
 require (
 	cloud.google.com/go v0.99.0 // indirect
@@ -141,7 +147,8 @@ require (
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
-	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -153,39 +160,14 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
-	k8s.io/apiserver v0.23.1 // indirect
-	k8s.io/component-base v0.23.1 // indirect
+	k8s.io/apiserver v0.23.4 // indirect
+	k8s.io/component-base v0.23.4 // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/kubectl v0.23.1 // indirect
+	k8s.io/kubectl v0.23.4 // indirect
 	k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect
 	oras.land/oras-go v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
-
-// pin kustomize to v4.4.1
-replace (
-	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1
-	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0
-)
-
-// Fix CVE-2021-41092
-// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L14
-// pulled in by Helm.
-replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible
-
-// Fix CVE-2021-30465
-// Fix CVE-2021-43784
-// Fix GO-2021-0085
-// Fix GO-2021-0087
-replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
-
-// Fix CVE-2021-41190
-// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L21,
-// pulled in by Helm.
-replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
-
-// Fix CVE-2021-43816
-replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.9
diff --git a/go.sum b/go.sum
diff --git a/tests/fuzz/go.mod b/tests/fuzz/go.mod
