Merge pull request #410 from fluxcd/release-v0.16.0

stefanprodan · web-flow · commit 770f4e8d2944 · 2022-02-01T10:35:56.000+02:00
Release v0.16.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,67 @@
 # Changelog
 
+## 0.16.0
+
+**Release date:** 2022-02-01
+
+This prerelease comes with security improvements for multi-tenant clusters:
+- Platform admins can enforce impersonation across the cluster using the `--default-service-account` flag.
+  When the flag is set, all `HelmReleases`, which don't have `spec.serviceAccountName` specified,
+  use the service account name provided by `--default-service-account=<SA Name>` in the namespace of the object.
+- Platform admins can disable cross-namespace references with the `--no-cross-namespace-refs=true` flag.
+  When this flag is set, `HelmReleases` can only refer to sources (`HelmRepositories`, `GitRepositories` and `Buckets`)
+  in the same namespace as the `HelmRelease` object, preventing tenants from accessing another tenant's repositories.
+
+In addition, the controller comes with a temporary fork of Helm v3.8.0 with a patch applied from
+[helm/pull/10486](https://github.com/helm/helm/pull/10486) to solve a memory leak.
+
+The controller container images are signed with
+[Cosign and GitHub OIDC](https://github.com/sigstore/cosign/blob/22007e56aee419ae361c9f021869a30e9ae7be03/KEYLESS.md),
+and a Software Bill of Materials in [SPDX format](https://spdx.dev) has been published on the release page.
+
+Starting with this version, the controller deployment conforms to the
+Kubernetes [restricted pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted):
+- all Linux capabilities were dropped
+- the root filesystem was set to read-only
+- the seccomp profile was set to the runtime default
+- run as non-root was enabled
+- the user and group ID was set to 65534
+
+**Breaking changes**:
+- The use of new seccomp API requires Kubernetes 1.19.
+- The controller container is now executed under 65534:65534 (userid:groupid).
+  This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
+- When both `spec.kubeConfig` and `spec.ServiceAccountName` are specified, the controller will impersonate
+  the service account on the target cluster, previously the controller ignored the service account.
+
+Features:
+- Allow setting a default service account for impersonation
+  [#406](https://github.com/fluxcd/helm-controller/pull/406)
+- Allow disabling cross-namespace references
+  [#408](https://github.com/fluxcd/helm-controller/pull/408)
+
+Improvements:
+- Update Helm to patched 3.8.0
+  [#409](https://github.com/fluxcd/helm-controller/pull/409)
+- Publish SBOM and sign release artifacts
+  [#401](https://github.com/fluxcd/helm-controller/pull/401)
+- Drop capabilities, set userid and enable seccomp
+  [#385](https://github.com/fluxcd/helm-controller/pull/385)
+- Update development documentation
+  [#397](https://github.com/fluxcd/helm-controller/pull/397)
+- Refactor Fuzz implementation
+  [#396](https://github.com/fluxcd/helm-controller/pull/396)
+
+Fixes:
+- Use patch instead of update when adding finalizers
+  [#395](https://github.com/fluxcd/helm-controller/pull/395)
+- Fix the missing protocol for the first port in manager config
+  [#405](https://github.com/fluxcd/helm-controller/pull/405)
+- Use go-install-tool for gen-crd-api-reference-docs
+  [#392](https://github.com/fluxcd/helm-controller/pull/392)
+- Use go install instead of go get in Makefile
+  [#391](https://github.com/fluxcd/helm-controller/pull/391)
+
 ## 0.15.0
 
 **Release date:** 2022-01-10
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: helm-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.20.1/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.20.1/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.21.1/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.21.1/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/helm-controller
     newName: fluxcd/helm-controller
-    newTag: v0.15.0
+    newTag: v0.16.0
diff --git a/go.mod b/go.mod
@@ -5,12 +5,12 @@ go 1.17
 replace github.com/fluxcd/helm-controller/api => ./api
 
 require (
-	github.com/fluxcd/helm-controller/api v0.15.0
+	github.com/fluxcd/helm-controller/api v0.16.0
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.1
 	github.com/fluxcd/pkg/apis/meta v0.10.2
 	github.com/fluxcd/pkg/runtime v0.12.4
-	github.com/fluxcd/source-controller/api v0.20.1
+	github.com/fluxcd/source-controller/api v0.21.1
 	github.com/go-logr/logr v1.2.2
 	github.com/hashicorp/go-retryablehttp v0.6.8
 	github.com/onsi/ginkgo v1.16.5
diff --git a/go.sum b/go.sum
@@ -321,8 +321,8 @@ github.com/fluxcd/pkg/apis/meta v0.10.2/go.mod h1:KQ2er9xa6koy7uoPMZjIjNudB5p4tX
 github.com/fluxcd/pkg/runtime v0.12.3/go.mod h1:imJ2xYy/d4PbSinX2IefmZk+iS2c1P5fY0js8mCE4SM=
 github.com/fluxcd/pkg/runtime v0.12.4 h1:gA27RG/+adN2/7Qe03PB46Iwmye/MusPCpuS4zQ2fW0=
 github.com/fluxcd/pkg/runtime v0.12.4/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc=
-github.com/fluxcd/source-controller/api v0.20.1 h1:BfYw1gNHykiCVFNtDz3atcf3Vph+arfuveKmouI98wE=
-github.com/fluxcd/source-controller/api v0.20.1/go.mod h1:Ab2qDmAUz6ZCp8UaHYLYzxyFrC1FQqEqjxiROb/Rdiw=
+github.com/fluxcd/source-controller/api v0.21.1 h1:7X39YQHmB1vmIBrHxU+YAqxwtdC9Zh+tdtMKREW3xiQ=
+github.com/fluxcd/source-controller/api v0.21.1/go.mod h1:Ab2qDmAUz6ZCp8UaHYLYzxyFrC1FQqEqjxiROb/Rdiw=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=

-Original file line number
+Diff line change
 replace github.com/fluxcd/helm-controller/api => ./api
 require (
 -	github.com/fluxcd/helm-controller/api v0.15.0
 +	github.com/fluxcd/helm-controller/api v0.16.0
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.1
 	github.com/fluxcd/pkg/apis/meta v0.10.2
 	github.com/fluxcd/pkg/runtime v0.12.4
 -	github.com/fluxcd/source-controller/api v0.20.1
 +	github.com/fluxcd/source-controller/api v0.21.1
 	github.com/go-logr/logr v1.2.2
 	github.com/hashicorp/go-retryablehttp v0.6.8
 	github.com/onsi/ginkgo v1.16.5