diff --git a/CHANGELOG.md b/CHANGELOG.md index b73d1bdb..8dbaa3c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [v2.452.2-2] - 2024-08-15 +### Changed +- [#166] Upgrade OpenJDK to 11.0.24-1 +- Upgrade Alpine to 3.20.2-1 +- The previous glibc compatibility layer was changed to Alpine's `gcompat` library + - this change was made due to incompatibilities with the previous `sgerrand` glibc layer which is no more supported + for newer Alpine versions + +### Security +- [#166] close CVE-2024-41110 + ## [v2.452.2-1] - 2024-07-10 ### Changed - Upgrade Jenkins to 2.452.2; #164 diff --git a/Dockerfile b/Dockerfile index a633ace2..9166924b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ # cesi/scm -FROM registry.cloudogu.com/official/java:11.0.20-1 +FROM registry.cloudogu.com/official/java:11.0.24-1 LABEL NAME="official/jenkins" \ - VERSION="2.452.2-1" \ + VERSION="2.452.2-2" \ maintainer="hello@cloudogu.com" # jenkins home configuration @@ -36,7 +36,7 @@ RUN set -o errexit \ # install coreutils, ttf-dejavu, openssh and scm clients # coreutils and ttf-dejavu is required because of java.awt.headless problem: # - https://wiki.jenkins.io/display/JENKINS/Jenkins+got+java.awt.headless+problem - && apk add --no-cache coreutils ttf-dejavu openssh-client git subversion mercurial curl \ + && apk add --no-cache coreutils ttf-dejavu openssh-client git subversion mercurial curl gcompat \ && apk add openjdk8="$ADDITIONAL_OPENJDK8_VERSION" \ # could use ADD but this one does not check Last-Modified header # see https://github.com/docker/docker/issues/8331 @@ -52,21 +52,15 @@ RUN set -o errexit \ && printf "[global]\nssl-authority-files=/var/lib/jenkins/ca-certificates.crt\n" > /etc/subversion/server \ # install glibc for alpine # make sure that jenkins is able to execute Oracle JDK, which can be installed over the global tool installer - && apk add --no-cache libstdc++ \ - && curl -Lo /tmp/glibc.apk "https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-${GLIBC_VERSION}.apk" \ - && echo "${SHA256_GLIB_APK} */tmp/glibc.apk" |sha256sum -c - \ - && apk add --no-cache --allow-untrusted /tmp/glibc.apk \ - && curl -Lo /tmp/glibc-bin.apk "https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-bin-${GLIBC_VERSION}.apk" \ - && echo "${SHA256_GLIB_BIN_APK} */tmp/glibc-bin.apk" |sha256sum -c - \ - && apk add --no-cache --allow-untrusted /tmp/glibc-bin.apk \ - && curl -Lo /tmp/glibc-i18n.apk "https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-i18n-${GLIBC_VERSION}.apk" \ - && echo "${SHA256_GLIB_I18N_APK} */tmp/glibc-i18n.apk" |sha256sum -c - \ - && apk add --no-cache --allow-untrusted /tmp/glibc-i18n.apk \ - # do not abort https://github.com/sgerrand/alpine-pkg-glibc/issues/5 - && (/usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 C.UTF-8 || true ) \ - && echo "export LANG=C.UTF-8" > /etc/profile.d/locale.sh \ - && /usr/glibc-compat/sbin/ldconfig /lib /usr/glibc-compat/lib \ - # cleanup + && apk add --no-cache libstdc++ gcompat + + RUN (/usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 C.UTF-8 || true ) + + RUN set -o errexit \ + && set -o nounset \ + && set -o pipefail \ + echo "export LANG=C.UTF-8" > /etc/profile.d/locale.sh \ + # cleanup && apk del curl \ && rm -rf /tmp/* /var/cache/apk/* diff --git a/Jenkinsfile b/Jenkinsfile index 8aab5d63..aaf07a2c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,5 +1,5 @@ #!groovy -@Library(['github.com/cloudogu/ces-build-lib@2.1.0', 'github.com/cloudogu/dogu-build-lib@v2.3.0']) +@Library(['github.com/cloudogu/ces-build-lib@2.2.1', 'github.com/cloudogu/dogu-build-lib@v2.3.1']) import com.cloudogu.ces.cesbuildlib.* import com.cloudogu.ces.dogubuildlib.* diff --git a/Makefile b/Makefile index a5f1e95a..d3af3d98 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -MAKEFILES_VERSION=9.0.3 +MAKEFILES_VERSION=9.1.0 .DEFAULT_GOAL:=dogu-release diff --git a/build/make/build.mk b/build/make/build.mk index b102149b..857c11d4 100644 --- a/build/make/build.mk +++ b/build/make/build.mk @@ -3,7 +3,7 @@ ADDITIONAL_LDFLAGS?=-extldflags -static LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)" GOIMAGE?=golang -GOTAG?=1.14.13 +GOTAG?=1.22 GOOS?=linux GOARCH?=amd64 PRE_COMPILE?= diff --git a/build/make/k8s-component.mk b/build/make/k8s-component.mk index 9d291839..6c1f6c41 100644 --- a/build/make/k8s-component.mk +++ b/build/make/k8s-component.mk @@ -2,7 +2,9 @@ COMPONENT_DEV_VERSION?=${VERSION}-dev include ${BUILD_DIR}/make/k8s.mk -BINARY_HELM_ADDITIONAL_PUSH_ARGS?=--plain-http +ifeq (${RUNTIME_ENV}, local) + BINARY_HELM_ADDITIONAL_PUSH_ARGS?=--plain-http +endif BINARY_HELM_ADDITIONAL_PACK_ARGS?= BINARY_HELM_ADDITIONAL_UNINST_ARGS?= BINARY_HELM_ADDITIONAL_UPGR_ARGS?= @@ -12,6 +14,9 @@ HELM_SOURCE_DIR ?= k8s/helm HELM_RELEASE_TGZ=${HELM_TARGET_DIR}/${ARTIFACT_ID}-${VERSION}.tgz HELM_DEV_RELEASE_TGZ=${HELM_TARGET_DIR}/${ARTIFACT_ID}-${COMPONENT_DEV_VERSION}.tgz HELM_ARTIFACT_NAMESPACE?=k8s +ifeq (${RUNTIME_ENV}, remote) + HELM_ARTIFACT_NAMESPACE?=testing/k8s +endif K8S_RESOURCE_COMPONENT ?= "${K8S_RESOURCE_TEMP_FOLDER}/component-${ARTIFACT_ID}-${VERSION}.yaml" K8S_RESOURCE_COMPONENT_CR_TEMPLATE_YAML ?= $(BUILD_DIR)/make/k8s-component.tpl @@ -75,12 +80,12 @@ helm-update-dependencies: ${BINARY_HELM} ## Update Helm chart dependencies .PHONY: helm-apply helm-apply: ${BINARY_HELM} check-k8s-namespace-env-var ${IMAGE_IMPORT_TARGET} helm-generate ${HELM_PRE_APPLY_TARGETS} ## Generates and installs the Helm chart. @echo "Apply generated helm chart" - @${BINARY_HELM} upgrade -i ${ARTIFACT_ID} ${HELM_TARGET_DIR} ${BINARY_HELM_ADDITIONAL_UPGR_ARGS} --namespace ${NAMESPACE} + @${BINARY_HELM} --kube-context="${KUBE_CONTEXT_NAME}" upgrade -i ${ARTIFACT_ID} ${HELM_TARGET_DIR} ${BINARY_HELM_ADDITIONAL_UPGR_ARGS} --namespace ${NAMESPACE} .PHONY: helm-delete helm-delete: ${BINARY_HELM} check-k8s-namespace-env-var ## Uninstalls the current Helm chart. @echo "Uninstall helm chart" - @${BINARY_HELM} uninstall ${ARTIFACT_ID} --namespace=${NAMESPACE} ${BINARY_HELM_ADDITIONAL_UNINST_ARGS} || true + @${BINARY_HELM} --kube-context="${KUBE_CONTEXT_NAME}" uninstall ${ARTIFACT_ID} --namespace=${NAMESPACE} ${BINARY_HELM_ADDITIONAL_UNINST_ARGS} || true .PHONY: helm-reinstall helm-reinstall: helm-delete helm-apply ## Uninstalls the current helm chart and reinstalls it. @@ -88,11 +93,11 @@ helm-reinstall: helm-delete helm-apply ## Uninstalls the current helm chart and .PHONY: helm-chart-import helm-chart-import: ${CHECK_VAR_TARGETS} helm-generate helm-package ${IMAGE_IMPORT_TARGET} ## Imports the currently available chart into the cluster-local registry. @if [[ ${STAGE} == "development" ]]; then \ - echo "Import ${HELM_DEV_RELEASE_TGZ} into K8s cluster ${K3CES_REGISTRY_URL_PREFIX}..."; \ - ${BINARY_HELM} push ${HELM_DEV_RELEASE_TGZ} oci://${K3CES_REGISTRY_URL_PREFIX}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ + echo "Import ${HELM_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + ${BINARY_HELM} push ${HELM_DEV_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ else \ - echo "Import ${HELM_RELEASE_TGZ} into K8s cluster ${K3CES_REGISTRY_URL_PREFIX}..."; \ - ${BINARY_HELM} push ${HELM_RELEASE_TGZ} oci://${K3CES_REGISTRY_URL_PREFIX}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ + echo "Import ${HELM_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + ${BINARY_HELM} push ${HELM_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ fi @echo "Done." @@ -115,7 +120,7 @@ ${HELM_RELEASE_TGZ}: ${BINARY_HELM} ${HELM_TARGET_DIR}/Chart.yaml ${HELM_POST_GE .PHONY: helm-delete-existing-tgz helm-delete-existing-tgz: ## Remove an existing Helm package from the target directory. @echo "Delete ${HELM_RELEASE_TGZ}*" - @rm -f ${HELM_RELEASE_TGZ}* + @rm -f ${HELM_TARGET_DIR}/${ARTIFACT_ID}-*.tgz ##@ K8s - Helm lint targets @@ -138,12 +143,12 @@ ${K8S_RESOURCE_COMPONENT_CR_TEMPLATE_YAML}: ${K8S_RESOURCE_TEMP_FOLDER} .PHONY: component-apply component-apply: check-k8s-namespace-env-var ${COMPONENT_PRE_APPLY_TARGETS} ${IMAGE_IMPORT_TARGET} helm-generate helm-chart-import component-generate ## Applies the component yaml resource to the actual defined context. - @kubectl apply -f "${K8S_RESOURCE_COMPONENT}" --namespace="${NAMESPACE}" + @kubectl apply -f "${K8S_RESOURCE_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}" @echo "Done." .PHONY: component-delete component-delete: check-k8s-namespace-env-var component-generate $(K8S_POST_GENERATE_TARGETS) ## Deletes the component yaml resource from the actual defined context. - @kubectl delete -f "${K8S_RESOURCE_COMPONENT}" --namespace="${NAMESPACE}" || true + @kubectl delete -f "${K8S_RESOURCE_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}" || true @echo "Done." .PHONY: component-reinstall diff --git a/build/make/k8s-crd.mk b/build/make/k8s-crd.mk index 4cbcd884..090b0290 100644 --- a/build/make/k8s-crd.mk +++ b/build/make/k8s-crd.mk @@ -62,19 +62,19 @@ validate-crd-chart: .PHONY: crd-helm-apply crd-helm-apply: ${BINARY_HELM} check-k8s-namespace-env-var crd-helm-generate ## Generates and installs the Helm CRD chart. @echo "Apply generated Helm CRD chart" - @${BINARY_HELM} upgrade -i ${ARTIFACT_CRD_ID} ${HELM_CRD_TARGET_DIR} ${BINARY_HELM_ADDITIONAL_UPGR_ARGS} --namespace ${NAMESPACE} + @${BINARY_HELM} --kube-context="${KUBE_CONTEXT_NAME}" upgrade -i ${ARTIFACT_CRD_ID} ${HELM_CRD_TARGET_DIR} ${BINARY_HELM_ADDITIONAL_UPGR_ARGS} --namespace ${NAMESPACE} .PHONY: crd-helm-delete crd-helm-delete: ${BINARY_HELM} check-k8s-namespace-env-var ## Uninstalls the current Helm CRD chart. @echo "Uninstall Helm CRD chart" - @${BINARY_HELM} uninstall ${ARTIFACT_CRD_ID} --namespace=${NAMESPACE} ${BINARY_HELM_ADDITIONAL_UNINST_ARGS} || true + @${BINARY_HELM} --kube-context="${KUBE_CONTEXT_NAME}" uninstall ${ARTIFACT_CRD_ID} --namespace=${NAMESPACE} ${BINARY_HELM_ADDITIONAL_UNINST_ARGS} || true .PHONY: crd-helm-package crd-helm-package: crd-helm-delete-existing-tgz ${HELM_CRD_RELEASE_TGZ} ## Generates and packages the Helm CRD chart. .PHONY: crd-helm-delete-existing-tgz crd-helm-delete-existing-tgz: ## Remove an existing Helm CRD package. - @rm -f ${HELM_CRD_RELEASE_TGZ}* + @rm -f ${HELM_CRD_TARGET_DIR}/${ARTIFACT_CRD_ID}-*.tgz ${HELM_CRD_RELEASE_TGZ}: ${BINARY_HELM} crd-helm-generate ## Generates and packages the Helm CRD chart. @echo "Package generated helm crd-chart" @@ -83,11 +83,11 @@ ${HELM_CRD_RELEASE_TGZ}: ${BINARY_HELM} crd-helm-generate ## Generates and packa .PHONY: crd-helm-chart-import crd-helm-chart-import: ${CHECK_VAR_TARGETS} check-k8s-artifact-id crd-helm-generate crd-helm-package ## Imports the currently available Helm CRD chart into the cluster-local registry. @if [[ ${STAGE} == "development" ]]; then \ - echo "Import ${HELM_CRD_DEV_RELEASE_TGZ} into K8s cluster ${K3CES_REGISTRY_URL_PREFIX}..."; \ - ${BINARY_HELM} push ${HELM_CRD_DEV_RELEASE_TGZ} oci://${K3CES_REGISTRY_URL_PREFIX}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ + echo "Import ${HELM_CRD_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + ${BINARY_HELM} push ${HELM_CRD_DEV_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ else \ - echo "Import ${HELM_CRD_RELEASE_TGZ} into K8s cluster ${K3CES_REGISTRY_URL_PREFIX}..."; \ - ${BINARY_HELM} push ${HELM_CRD_RELEASE_TGZ} oci://${K3CES_REGISTRY_URL_PREFIX}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ + echo "Import ${HELM_CRD_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \ + ${BINARY_HELM} push ${HELM_CRD_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \ fi @echo "Done." @@ -106,10 +106,10 @@ crd-component-generate: ${K8S_RESOURCE_TEMP_FOLDER} ## Generate the CRD componen .PHONY: crd-component-apply crd-component-apply: check-k8s-namespace-env-var crd-helm-chart-import crd-component-generate ## Applies the CRD component YAML resource to the actual defined context. - @kubectl apply -f "${K8S_RESOURCE_CRD_COMPONENT}" --namespace="${NAMESPACE}" + @kubectl apply -f "${K8S_RESOURCE_CRD_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}" @echo "Done." .PHONY: crd-component-delete crd-component-delete: check-k8s-namespace-env-var crd-component-generate ## Deletes the CRD component YAML resource from the actual defined context. - @kubectl delete -f "${K8S_RESOURCE_CRD_COMPONENT}" --namespace="${NAMESPACE}" || true + @kubectl delete -f "${K8S_RESOURCE_CRD_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}" || true @echo "Done." diff --git a/build/make/k8s-dogu.mk b/build/make/k8s-dogu.mk index 296b1c7a..e656b173 100644 --- a/build/make/k8s-dogu.mk +++ b/build/make/k8s-dogu.mk @@ -10,8 +10,6 @@ ARTIFACT_NAMESPACE=$(shell $(BINARY_YQ) -oy -e ".Name" $(DOGU_JSON_FILE) | sed " VERSION=$(shell $(BINARY_YQ) -oy -e ".Version" $(DOGU_JSON_FILE)) # Image of the dogu is extracted from the dogu.json IMAGE=$(shell $(BINARY_YQ) -oy -e ".Image" $(DOGU_JSON_FILE)):$(VERSION) -IMAGE_DEV_WITHOUT_TAG=$(shell $(BINARY_YQ) -oy -e ".Image" $(DOGU_JSON_FILE) | sed "s|registry\.cloudogu\.com\(.\+\)|${K3CES_REGISTRY_URL_PREFIX}\1|g") -IMAGE_DEV=${IMAGE_DEV_WITHOUT_TAG} include $(BUILD_DIR)/make/k8s.mk @@ -37,13 +35,13 @@ create-dogu-resource: ${BINARY_YQ} $(K8S_RESOURCE_TEMP_FOLDER) .PHONY: apply-dogu-resource apply-dogu-resource: - @kubectl apply -f "$(K8S_RESOURCE_DOGU)" + @kubectl --context="${KUBE_CONTEXT_NAME}" --namespace=${NAMESPACE} apply -f "$(K8S_RESOURCE_DOGU)" ##@ K8s - Dogu .PHONY: install-dogu-descriptor install-dogu-descriptor: ${BINARY_YQ} $(TARGET_DIR) ## Installs a configmap with current dogu.json into the cluster. @echo "Generate configmap from dogu.json..." - @$(BINARY_YQ) -oj ".Image=\"${IMAGE_DEV_WITHOUT_TAG}\"" ${DOGU_JSON_FILE} > ${DOGU_JSON_DEV_FILE} - @kubectl create configmap "$(ARTIFACT_ID)-descriptor" --from-file=$(DOGU_JSON_DEV_FILE) --dry-run=client -o yaml | kubectl apply -f - --namespace=${NAMESPACE} + @$(BINARY_YQ) -oj ".Image=\"${IMAGE_DEV}\" | .Version=\"${VERSION}\"" ${DOGU_JSON_FILE} > ${DOGU_JSON_DEV_FILE} + @kubectl --context="${KUBE_CONTEXT_NAME}" create configmap "$(ARTIFACT_ID)-descriptor" --from-file=$(DOGU_JSON_DEV_FILE) --dry-run=client -o yaml | kubectl --context="${KUBE_CONTEXT_NAME}" --namespace=${NAMESPACE} apply -f - @echo "Done." diff --git a/build/make/k8s.mk b/build/make/k8s.mk index 0f9fe02a..9f798f46 100644 --- a/build/make/k8s.mk +++ b/build/make/k8s.mk @@ -11,7 +11,7 @@ BINARY_YQ_4_VERSION?=v4.40.3 BINARY_HELM = $(UTILITY_BIN_PATH)/helm BINARY_HELM_VERSION?=v3.13.0 CONTROLLER_GEN = $(UTILITY_BIN_PATH)/controller-gen -CONTROLLER_GEN_VERSION?=v0.13.0 +CONTROLLER_GEN_VERSION?=v0.14.0 # Setting SHELL to bash allows bash commands to be executed by recipes. # Options are set to exit when a recipe line exits non-zero or a piped command fails. @@ -22,14 +22,48 @@ SHELL = /usr/bin/env bash -o pipefail IMAGE ?= # Set production as default stage. Use "development" as stage in your .env file to generate artifacts -# with development images pointing to K3S_CLUSTER_FQDN. +# with development images pointing to CES_REGISTRY_URL_PREFIX. STAGE?=production + +# Set the "local" as runtime-environment, to push images to the container-registry of the local cluster and to apply resources to the local cluster. +# Use "remote" as runtime-environment in your .env file to push images to the container-registry at "registry.cloudogu.com/testing" and to apply resources to the configured kubernetes-context in KUBE_CONTEXT_NAME. +RUNTIME_ENV?=local +$(info RUNTIME_ENV=$(RUNTIME_ENV)) + +# The host and port of the local cluster K3S_CLUSTER_FQDN?=k3ces.local K3S_LOCAL_REGISTRY_PORT?=30099 -K3CES_REGISTRY_URL_PREFIX="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}" + +# The URL of the container-registry to use. Defaults to the registry of the local-cluster. +# If RUNTIME_ENV is "remote" it is "registry.cloudogu.com/testing" +CES_REGISTRY_HOST?="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}" +CES_REGISTRY_NAMESPACE ?= +ifeq (${RUNTIME_ENV}, remote) + CES_REGISTRY_HOST="registry.cloudogu.com" + CES_REGISTRY_NAMESPACE="/testing" +endif +$(info CES_REGISTRY_HOST=$(CES_REGISTRY_HOST)) + +# The name of the kube-context to use for applying resources. +# If KUBE_CONTEXT_NAME is empty and RUNTIME_ENV is "remote" the currently configured kube-context is used. +# If KUBE_CONTEXT_NAME is empty and RUNTIME_ENV is not "remote" the "k3ces.local" is used as kube-context. +ifeq (${KUBE_CONTEXT_NAME}, ) + ifeq (${RUNTIME_ENV}, remote) + KUBE_CONTEXT_NAME = $(shell kubectl config current-context) + else + KUBE_CONTEXT_NAME = k3ces.local + endif +endif +$(info KUBE_CONTEXT_NAME=$(KUBE_CONTEXT_NAME)) + +# The git branch-name in lowercase, shortened to 63 bytes, and with everything except 0-9 and a-z replaced with -. No leading / trailing -. +GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/-/g; s/^-+|-+$$//g' | cut -c1-63) +# The short git commit-hash +GIT_HASH := $(shell git rev-parse --short HEAD) + ## Image URL to use all building/pushing image targets -IMAGE_DEV?=${K3CES_REGISTRY_URL_PREFIX}/${ARTIFACT_ID} -IMAGE_DEV_VERSION=${IMAGE_DEV}:${VERSION} +IMAGE_DEV?=$(CES_REGISTRY_HOST)$(CES_REGISTRY_NAMESPACE)/$(ARTIFACT_ID)/$(GIT_BRANCH) +IMAGE_DEV_VERSION=$(IMAGE_DEV):$(VERSION) # Variables for the temporary yaml files. These are used as template to generate a development resource containing # the current namespace and the dev image. @@ -64,13 +98,36 @@ check-k8s-artifact-id: .PHONY: check-etc-hosts check-etc-hosts: - @grep -E "^.+\s+${K3S_CLUSTER_FQDN}\$$" /etc/hosts > /dev/null || \ - (echo "Missing /etc/hosts entry for ${K3S_CLUSTER_FQDN}" && exit 1) + @if [[ ${RUNTIME_ENV} == "local" ]]; then \ + grep -E "^.+\s+${K3S_CLUSTER_FQDN}\$$" /etc/hosts > /dev/null || \ + (echo "Missing /etc/hosts entry for ${K3S_CLUSTER_FQDN}" && exit 1) \ + fi .PHONY: check-insecure-cluster-registry check-insecure-cluster-registry: - @grep "${K3CES_REGISTRY_URL_PREFIX}" /etc/docker/daemon.json > /dev/null || \ - (echo "Missing /etc/docker/daemon.json for ${K3CES_REGISTRY_URL_PREFIX}" && exit 1) + @if [[ ${RUNTIME_ENV} == "local" ]]; then \ + grep "${CES_REGISTRY_HOST}" /etc/docker/daemon.json > /dev/null || \ + (echo "Missing /etc/docker/daemon.json for ${CES_REGISTRY_HOST}" && exit 1) \ + fi + +# If the RUNTIME_ENV is "remote" checks if the current docker-client has credentials for CES_REGISTRY_HOST +# If no credentials could be found, the credentials are queried and docker-login is performed +check-docker-credentials: + @if [[ "$(RUNTIME_ENV)" == "remote" ]]; then \ + if ! grep -q $(CES_REGISTRY_HOST) ~/.docker/config.json ; then \ + echo "Error: Docker is not logged in to $(CES_REGISTRY_HOST)"; \ + read -p "Enter Docker Username for $(CES_REGISTRY_HOST): " username; \ + read -sp "Enter Docker Password for $(CES_REGISTRY_HOST): " password; \ + echo ""; \ + echo "$$password" | docker login -u "$$username" --password-stdin $(CES_REGISTRY_HOST); \ + if [ $$? -eq 0 ]; then \ + echo "Docker login to $(CES_REGISTRY_HOST) successful"; \ + else \ + echo "Docker login to $(CES_REGISTRY_HOST) failed"; \ + exit 1; \ + fi \ + fi \ + fi ##@ K8s - Resources @@ -81,7 +138,7 @@ ${K8S_RESOURCE_TEMP_FOLDER}: ##@ K8s - Docker .PHONY: docker-build -docker-build: check-k8s-image-env-var ## Builds the docker image of the K8s app. +docker-build: check-docker-credentials check-k8s-image-env-var ## Builds the docker image of the K8s app. @echo "Building docker image $(IMAGE)..." @DOCKER_BUILDKIT=1 docker build . -t $(IMAGE) @@ -93,13 +150,13 @@ docker-dev-tag: check-k8s-image-dev-var docker-build ## Tags a Docker image for .PHONY: check-k8s-image-dev-var check-k8s-image-dev-var: ifeq (${IMAGE_DEV},) - @echo "Missing make variable IMAGE_DEV detected. It should look like \$${K3CES_REGISTRY_URL_PREFIX}/docker-image:tag" + @echo "Missing make variable IMAGE_DEV detected. It should look like \$${CES_REGISTRY_HOST}/docker-image:tag" @exit 19 endif .PHONY: image-import -image-import: check-all-vars check-k8s-artifact-id docker-dev-tag ## Imports the currently available image into the cluster-local registry. - @echo "Import $(IMAGE_DEV_VERSION) into K8s cluster ${K3S_CLUSTER_FQDN}..." +image-import: check-all-vars check-k8s-artifact-id docker-dev-tag ## Imports the currently available image into the configured ces-registry. + @echo "Import $(IMAGE_DEV_VERSION) into K8s cluster ${KUBE_CONTEXT_NAME}..." @docker push $(IMAGE_DEV_VERSION) @echo "Done." @@ -145,4 +202,4 @@ ENVTEST = $(UTILITY_BIN_PATH)/setup-envtest envtest: ${ENVTEST} ## Download envtest-setup locally if necessary. ${ENVTEST}: - $(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest) \ No newline at end of file + $(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest) diff --git a/build/make/static-analysis.mk b/build/make/static-analysis.mk index 70e64685..0ed0de33 100644 --- a/build/make/static-analysis.mk +++ b/build/make/static-analysis.mk @@ -2,14 +2,14 @@ STATIC_ANALYSIS_DIR=$(TARGET_DIR)/static-analysis GOIMAGE?=golang -GOTAG?=1.18 +GOTAG?=1.22 CUSTOM_GO_MOUNT?=-v /tmp:/tmp REVIEW_DOG=$(TMP_DIR)/bin/reviewdog LINT=$(TMP_DIR)/bin/golangci-lint -LINT_VERSION?=v1.49.0 +LINT_VERSION?=v1.58.2 # ignore tests and mocks -LINTFLAGS=--tests=false --skip-files="^.*_mock.go$$" --skip-files="^.*/mock.*.go$$" --timeout 10m --issues-exit-code 0 +LINTFLAGS=--tests=false --exclude-files="^.*_mock.go$$" --exclude-files="^.*/mock.*.go$$" --timeout 10m --issues-exit-code 0 ADDITIONAL_LINTER=-E bodyclose -E containedctx -E contextcheck -E decorder -E dupl -E errname -E forcetypeassert -E funlen -E unparam .PHONY: static-analysis diff --git a/docs/gui/release_notes_de.md b/docs/gui/release_notes_de.md index 8063267b..dcef7403 100644 --- a/docs/gui/release_notes_de.md +++ b/docs/gui/release_notes_de.md @@ -4,6 +4,9 @@ Im Folgenden finden Sie die Release Notes für das Jenkins-Dogu. Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https://docs.cloudogu.com/de/docs/dogus/jenkins/CHANGELOG/). +## Release 2.452.2-2 +* Behebung von kritischem CVE-2024-41110 in Bibliotheksabhängigkeiten. Diese Schwachstelle konnte jedoch nicht aktiv ausgenutzt werden. + ## Release 2.452.2-1 * Das Dogu bietet nun die Jenkins-Version 2.452.2 an. Die Release Notes von Jenkins finden Sie [hier](https://www.jenkins.io/changelog/#v2.452). diff --git a/docs/gui/release_notes_en.md b/docs/gui/release_notes_en.md index 3fc58f7c..18d0570a 100644 --- a/docs/gui/release_notes_en.md +++ b/docs/gui/release_notes_en.md @@ -4,6 +4,9 @@ Below you will find the release notes for the Jenkins Dogu. Technical details on a release can be found in the corresponding [Changelog](https://docs.cloudogu.com/en/docs/dogus/jenkins/CHANGELOG/). +## Release 2.452.2-2 +* Fix of critical CVE-2024-41110 in library dependencies. This vulnerability could not be actively exploited, though. + ## Release 2.452.2-1 * The Dogu now offers the Jenkins version 2.452.2. The Jenkins release notes can be found [here](https://www.jenkins.io/changelog/#v2.452). diff --git a/dogu.json b/dogu.json index 86736cf6..3a80befe 100644 --- a/dogu.json +++ b/dogu.json @@ -1,6 +1,6 @@ { "Name": "official/jenkins", - "Version": "2.452.2-1", + "Version": "2.452.2-2", "DisplayName": "Jenkins CI", "Description": "Jenkins Continuous Integration Server", "Category": "Development Apps", diff --git a/integrationTests/cypress.config.js b/integrationTests/cypress.config.js index 41282a09..b34524a3 100644 --- a/integrationTests/cypress.config.js +++ b/integrationTests/cypress.config.js @@ -21,12 +21,12 @@ async function setupNodeEvents(on, config) { module.exports = defineConfig({ e2e: { - "baseUrl": "https://192.168.56.2", - "env": { + baseUrl: 'https://192.168.56.2', + env: { "DoguName": "jenkins", "MaxLoginRetries": 3, "AdminUsername": "ces-admin", - "AdminPassword": "ecosystem2016", + "AdminPassword": "Ecosystem2016!", "AdminGroup": "CesAdministrators" }, videoCompression: false, diff --git a/spec/goss/goss.yaml b/spec/goss/goss.yaml index d9a49c75..bc7bdc13 100644 --- a/spec/goss/goss.yaml +++ b/spec/goss/goss.yaml @@ -128,9 +128,15 @@ file: contains: - disabledAdministrativeMonitors - hudson.model.UpdateCenter$CoreUpdateMonitor - /usr/glibc-compat/lib/libc.so: + /lib/libc.so.6: exists: true - mode: "0644" + mode: "0777" + owner: root + group: root + filetype: symlink + /lib/libgcompat.so.0: + exists: true + mode: "0755" owner: root group: root filetype: file @@ -145,11 +151,7 @@ package: installed: true libstdc++: installed: true - glibc: - installed: true - glibc-bin: - installed: true - glibc-i18n: + gcompat: installed: true port: tcp6:8080: