Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support for kyverno policies #333

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: support for kyverno policies #333

wants to merge 3 commits into from

Conversation

MeNsaaH
Copy link
Collaborator

@MeNsaaH MeNsaaH commented Dec 18, 2024

No description provided.

@github-actions GitHub Actions
Copy link

Temporary image available at ghcr.io/zapier/kubechecks:0.0.0-pr333.

djeebus
djeebus reviewed Dec 19, 2024
View reviewed changes
pkg/checks/kyverno/kyverno.go
Comment on lines +35 to +40
for _, manifest := range appManifests {
if _, err := tempFile.WriteString(manifest + "\n"); err != nil {
log.Error().Err(err).Msg("Failed to write manifest to temporary file")
return msg.Result{}, err
}
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you need --- to seperate the manifests from each other here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's right! Nice catch.
FYI, this is still in progress. So, it's not fully ready

djeebus
djeebus reviewed Dec 19, 2024
View reviewed changes
pkg/checks/kyverno/kyverno.go
Comment on lines +61 to +66
var cr msg.Result
if output.Len() == 0 {
cr.State = pkg.StateWarning
} else {
cr.State = pkg.StateSuccess
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there's no output, then it failed? This seems ... strange, no?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is more like a dummy script to just see what happens.

We'll need to parse the output to know if it failed or not.

djeebus
djeebus reviewed Dec 19, 2024
View reviewed changes
pkg/config/config.go
Comment on lines +71 to +75
// -- kyverno
EnableKyvernoChecks bool `mapstructure:"enable-kyverno-checks"`
KyvernoPoliciesLocation []string `mapstructure:"kyverno-policies-location"`
KyvernoPoliciesPaths []string `mapstructure:"kyverno-policies-paths"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also add a WorstKyvernoState pkg.CommitState field, which would allow people to either warn or fail depending on configuration.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah! That'll be added

MeNsaaH added 3 commits January 2, 2025 14:26
@MeNsaaH
Initial support for kyverno policies
acb0695 
Signed-off-by: Mmadu Manasseh <[email protected]>
@MeNsaaH
Add kyverno to processor
b56916e 
Signed-off-by: Mmadu Manasseh <[email protected]>
@MeNsaaH
Fix kyverno module issues
0ac7b28 
Signed-off-by: Mmadu Manasseh <[email protected]>
@MeNsaaH MeNsaaH force-pushed the kyverno-policies-support branch from 6c8f707 to 0ac7b28 Compare January 2, 2025 13:49
@zapier-sre-bot
Copy link
Collaborator

Mergecat's Review

Click to read mergecats review!

😼 Mergecat review of .tool-versions

-earthly 0.8.15
-golang 1.22.7
+golang 1.23.4
 golangci-lint 1.62.2
 helm 3.16.3
 helm-cr 1.6.1

Feedback & Suggestions:

  • ⚠️ Compatibility Check: Ensure that the new version of Go (1.23.4) is compatible with your existing codebase and dependencies. Sometimes, minor version updates can introduce breaking changes or deprecations.

  • 🔍 Testing: After updating the Go version, run your test suite to verify that everything works as expected. This helps catch any issues early.

  • 📄 Documentation: Update any documentation or README files that specify the Go version to reflect this change, ensuring consistency across your project.

😼 Mergecat review of localdev/terraform/modules/vcs_files/mr5_files/apps/httpdump/overlays/a/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base
+- ../../base
 
-patchesStrategicMerge:
-  - replica-patch.yaml
\ No newline at end of file
+patches:
+- path: replica-patch.yaml

Feedback & Suggestions:

  1. Patch Format Change: The change from patchesStrategicMerge to patches with a path key is a significant alteration. Ensure that this change aligns with the intended behavior of your kustomization. The patches field is used for JSON 6902 patches, which might not be the same as strategic merge patches. Double-check that this change is compatible with your patching strategy. 🛠️

  2. Consistency in Indentation: The indentation for the resources section has been altered slightly. Ensure that the indentation is consistent throughout the file for better readability and to avoid potential parsing issues. 📏

  3. Newline at End of File: The diff indicates there is no newline at the end of the file. It's a good practice to include a newline at the end of files to avoid issues with some tools and version control systems. ➕

😼 Mergecat review of Tiltfile

@@ -236,7 +236,7 @@ k8s_resource(
   port_forwards=['2345:2345', '8080:8080'],
   resource_deps=[
     # 'go-build',
-    'go-test',
+    # 'go-test',
     'k8s:namespace',
     'argocd',
     'argocd-crds',

Feedback & Suggestions:

  1. Commenting Out go-test Dependency: By commenting out the go-test dependency, you are removing it from the list of resource dependencies for the kubechecks Kubernetes resource. Ensure that this change is intentional and that the go-test resource is not required for the proper functioning of the kubechecks resource. If go-test is needed for testing or validation purposes, consider keeping it as a dependency.

  2. Documentation: If this change is intentional, it would be helpful to add a comment explaining why the go-test dependency is being removed. This will aid future developers in understanding the rationale behind this decision.

  3. Testing: After making this change, thoroughly test the application to ensure that removing the go-test dependency does not introduce any unintended side effects or break existing functionality.

😼 Mergecat review of cmd/controller.go

@@ -79,6 +79,11 @@ var ControllerCmd = &cobra.Command{
 			log.Fatal().Err(err).Msg("failed to process schema locations")
 		}
 
+		log.Info().Strs("locations", cfg.KyvernoPoliciesLocation).Msg("processing kyverno policies locations")
+		if err = processLocations(ctx, ctr, cfg.KyvernoPoliciesLocation); err != nil {
+			log.Fatal().Err(err).Msg("failed to process kyverno policies locations")
+		}
+
 		processors, err := getProcessors(ctr)
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed to create processors")

Feedback & Suggestions:

  1. Error Handling Consistency: The error handling for processing Kyverno policies locations is consistent with the existing pattern, which is good. However, consider whether log.Fatal is the best choice for handling errors in this context. Using log.Fatal will terminate the program immediately, which might not be ideal if you want to allow for recovery or cleanup operations. Consider using log.Error and handling the error more gracefully if appropriate.

  2. Performance Consideration: If processLocations is a potentially long-running operation, and if the order of processing is not critical, consider running these operations concurrently to improve performance. This can be done using goroutines. Ensure proper synchronization and error handling if you choose to go this route.

  3. Configuration Validation: Ensure that cfg.KyvernoPoliciesLocation is validated before being used. If this configuration can be empty or invalid, it might be worth adding a check before attempting to process it.

  4. Logging Detail: The log message for processing Kyverno policies locations is clear. Ensure that the cfg.KyvernoPoliciesLocation provides enough context in the logs to identify which locations are being processed, especially if this is a list of locations.

😼 Mergecat review of charts/kubechecks/templates/clusterrole.yaml

@@ -7,5 +7,5 @@ rules:
     resources: ['applications', 'appprojects', 'applicationsets', 'services']
     verbs: ['get', 'list', 'watch']
   - apiGroups: [''] # The core API group, which is indicated by an empty string
-    resources: ['secrets']
+    resources: ['secrets', 'configmaps']
     verbs: ['get', 'list', 'watch']

Feedback & Suggestions:

  1. Security Consideration: Adding configmaps to the list of resources that can be accessed with get, list, and watch verbs increases the scope of access. Ensure that this change is necessary and that the ClusterRole is only granted to trusted entities. ConfigMaps can contain sensitive configuration data, and broad access might lead to unintended information disclosure. 🔒

  2. Documentation Update: If this change is intentional, consider updating any related documentation to reflect the expanded permissions. This helps maintain clarity for future developers or operators who might review the role's permissions. 📚

  3. Review for Least Privilege: Always aim to follow the principle of least privilege. If the application or service using this ClusterRole does not need access to all ConfigMaps, consider scoping down the permissions to specific ConfigMaps or using a different role for those that require it. 🔍

😼 Mergecat review of cmd/processors.go

@@ -7,6 +7,7 @@ import (
 	"github.com/zapier/kubechecks/pkg/checks/diff"
 	"github.com/zapier/kubechecks/pkg/checks/hooks"
 	"github.com/zapier/kubechecks/pkg/checks/kubeconform"
+	"github.com/zapier/kubechecks/pkg/checks/kyverno"
 	"github.com/zapier/kubechecks/pkg/checks/preupgrade"
 	"github.com/zapier/kubechecks/pkg/checks/rego"
 	"github.com/zapier/kubechecks/pkg/container"
@@ -57,5 +58,13 @@ func getProcessors(ctr container.Container) ([]checks.ProcessorEntry, error) {
 		})
 	}
 
+	if ctr.Config.EnableKyvernoChecks {
+		procs = append(procs, checks.ProcessorEntry{
+			Name:       "running kyverno check",
+			Processor:  kyverno.Check,
+			WorstState: ctr.Config.WorstPreupgradeState,
+		})
+	}
+
 	return procs, nil
 }

Feedback & Suggestions:

  1. Consistency in Configuration: The WorstState for the Kyverno check is set to ctr.Config.WorstPreupgradeState. Ensure that this is intentional and not a copy-paste error. If there is a specific WorstKyvernoState configuration, it should be used instead. 🛠️

  2. Error Handling: Consider adding error handling for the Kyverno check initialization, similar to the Rego checker. This can help catch any issues during the setup of the Kyverno processor. 🔍

  3. Documentation: Update any relevant documentation to reflect the addition of the Kyverno check, ensuring users are aware of this new feature and how to configure it. 📚

😼 Mergecat review of pkg/config/config.go

@@ -69,6 +69,10 @@ type ServerConfig struct {
 	// -- preupgrade
 	EnablePreupgrade     bool            `mapstructure:"enable-preupgrade"`
 	WorstPreupgradeState pkg.CommitState `mapstructure:"worst-preupgrade-state"`
+	// -- kyverno
+	EnableKyvernoChecks     bool     `mapstructure:"enable-kyverno-checks"`
+	KyvernoPoliciesLocation []string `mapstructure:"kyverno-policies-location"`
+	KyvernoPoliciesPaths    []string `mapstructure:"kyverno-policies-paths"`
 
 	// misc
 	AdditionalAppsNamespaces []string      `mapstructure:"additional-apps-namespaces"`

Feedback & Suggestions:

  1. Consistency in Naming: Ensure that the naming conventions for the new fields are consistent with existing ones. For example, KyvernoPoliciesLocation and KyvernoPoliciesPaths are similar to PoliciesLocation in the EnableConfTest section. Consider if the naming should reflect a similar pattern for clarity and consistency.

  2. Documentation: Add comments to describe the purpose of the new fields EnableKyvernoChecks, KyvernoPoliciesLocation, and KyvernoPoliciesPaths. This will help future developers understand their usage and significance.

  3. Security Considerations: If KyvernoPoliciesLocation and KyvernoPoliciesPaths are expected to contain sensitive information, ensure that there are appropriate security measures in place to protect this data.

  4. Validation: Consider adding validation logic to ensure that the paths provided in KyvernoPoliciesLocation and KyvernoPoliciesPaths are valid and accessible. This can prevent runtime errors and improve the robustness of the application.

  5. Testing: Ensure that there are adequate tests to cover the new functionality introduced by these fields. This includes unit tests to verify the correct behavior of the configuration parsing and any logic that depends on these new fields.

😼 Mergecat review of cmd/root.go

@@ -119,6 +119,11 @@ func init() {
 		newStringOpts().
 			withDefault("kubechecks again"))
 	stringSliceFlag(flags, "additional-apps-namespaces", "Additional namespaces other than the ArgoCDNamespace to monitor for applications.")
+	boolFlag(flags, "enable-kyverno-checks", "Enable kyverno policy checks.")
+	stringFlag(flags, "kyverno-policies-location", "Sets kyverno policy locations to be used for every check request. This is a git url in either git or http(s) format.")
+	stringSliceFlag(flags, "kyverno-policies-paths", "Sets the paths inside the kyverno-policies-location that contains the policies. Default to root of the repository.",
+		newStringSliceOpts().
+			withDefault([]string{"."}))
 
 	panicIfError(viper.BindPFlags(flags))
 	setupLogOutput()

Feedback & Suggestions:

  1. Security Consideration: Ensure that the kyverno-policies-location is validated to prevent potential security risks from untrusted sources. Consider implementing checks to verify the authenticity and integrity of the git URL before using it.

  2. Error Handling: It would be beneficial to add error handling for the new flags, especially for kyverno-policies-location and kyverno-policies-paths. This can help in diagnosing issues if the provided paths or URLs are incorrect or inaccessible.

  3. Documentation: Make sure to update any relevant documentation to include these new flags. This will help users understand how to configure and use the Kyverno checks effectively.

  4. Testing: Ensure that there are adequate tests covering these new flags to verify their functionality and integration with the existing system.

  5. Consistency: Consider using a consistent naming convention for the flags. For example, kyverno-policies-location could be renamed to kyverno-policy-location to match the singular form used in other flags like vcs-base-url.

😼 Mergecat review of localdev/kubechecks/values.yaml

@@ -24,14 +24,20 @@ configMap:
     # KUBECHECKS_SCHEMAS_LOCATION: https://github.com/zapier/kubecheck-schemas.git
     KUBECHECKS_TIDY_OUTDATED_COMMENTS_MODE: "delete"
     KUBECHECKS_ENABLE_CONFTEST: "false"
+    KUBECHECKS_ENABLE_KYVERNO_CHECKS: "true"
+    KUBECHECKS_KYVERNO_POLICIES_LOCATION: "https://gitlab.com/zapier/team-sre/service-kyverno.git"
+    KUBECHECKS_KYVERNO_POLICIES_PATHS: "argocd/production/templates/checks"
+    KUBECHECKS_ARGOCD_SEND_FULL_REPOSITORY: "true"
+    KUBECHECKS_ARGOCD_REPOSITORY_ENDPOINT: argocd-repo-server.kubechecks:8081
+    GRPC_ENFORCE_ALPN_ENABLED: false
 
 
 deployment:
   annotations:
     reloader.stakater.com/auto: "true" 
   
   image:
-    pullPolicy: Never
+    pullPolicy: IfNotPresent
     name: "kubechecks"
     tag: ""

Feedback & Suggestions:

  1. Security Concern with URLs: The addition of KUBECHECKS_KYVERNO_POLICIES_LOCATION and KUBECHECKS_KYVERNO_POLICIES_PATHS introduces external URLs. Ensure these URLs are secure and trusted to prevent any potential security risks. Consider using environment variables or configuration management tools to manage these URLs securely. 🔒

  2. Image Pull Policy: Changing the pullPolicy from Never to IfNotPresent is generally a good practice for environments where you want to ensure the image is pulled if not available locally. However, ensure this aligns with your deployment strategy, especially in development environments where you might want to test local changes. 🐳

  3. Redundant Configuration: The KUBECHECKS_ARGOCD_REPOSITORY_ENDPOINT and GRPC_ENFORCE_ALPN_ENABLED were re-added in the diff. Ensure these are intentional and not duplicated, as redundancy can lead to maintenance challenges. 🌀

  4. Documentation: Consider updating any relevant documentation to reflect these new configurations, especially for the newly introduced Kyverno checks. This will help maintain clarity for future developers or operators. 📚

😼 Mergecat review of go.mod

@@ -1,29 +1,30 @@
 module github.com/zapier/kubechecks
 
-go 1.22.0
+go 1.22.8
 
-toolchain go1.22.7
+toolchain go1.23.4
 
 require (
 	github.com/argoproj/argo-cd/v2 v2.13.1
 	github.com/argoproj/gitops-engine v0.7.1-0.20240905010810-bd7681ae3f8b
 	github.com/aws/aws-sdk-go-v2 v1.32.6
-	github.com/aws/aws-sdk-go-v2/config v1.27.24
+	github.com/aws/aws-sdk-go-v2/config v1.27.33
 	github.com/aws/aws-sdk-go-v2/service/eks v1.46.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.2
 	github.com/aws/smithy-go v1.22.1
 	github.com/bradleyfalzon/ghinstallation/v2 v2.11.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/chainguard-dev/git-urls v1.0.2
 	github.com/creasty/defaults v1.7.0
-	github.com/ghodss/yaml v1.0.0
+	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399
 	github.com/go-logr/zerologr v1.2.3
 	github.com/google/go-github/v62 v62.0.0
 	github.com/google/uuid v1.6.0
 	github.com/heptiolabs/healthcheck v0.0.0-20211123025425-613501dd5deb
 	github.com/imdario/mergo v0.3.16
 	github.com/jeremywohl/flatten v1.0.1
+	github.com/kyverno/kyverno v1.13.1
 	github.com/labstack/echo-contrib v0.17.1
 	github.com/labstack/echo/v4 v4.13.3
 	github.com/masterminds/semver v1.5.0
@@ -32,7 +33,7 @@ require (
 	github.com/open-policy-agent/conftest v0.49.1
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	github.com/prometheus/client_golang v1.20.3
+	github.com/prometheus/client_golang v1.20.4
 	github.com/rikatz/kubepug v1.4.0
 	github.com/rs/zerolog v1.33.0
 	github.com/sashabaranov/go-openai v1.36.0
@@ -52,7 +53,7 @@ require (
 	go.opentelemetry.io/otel/sdk v1.33.0
 	go.opentelemetry.io/otel/sdk/metric v1.33.0
 	go.opentelemetry.io/otel/trace v1.33.0
-	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
+	golang.org/x/exp v0.0.0-20240823005443-9b4947da3948
 	golang.org/x/net v0.33.0
 	golang.org/x/oauth2 v0.24.0
 	google.golang.org/grpc v1.67.1
@@ -67,137 +68,250 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go v0.115.1 // indirect
+	cloud.google.com/go/auth v0.9.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	cloud.google.com/go/compute/metadata v0.5.0 // indirect
-	cloud.google.com/go/iam v1.1.6 // indirect
-	cloud.google.com/go/storage v1.38.0 // indirect
-	cuelang.org/go v0.7.0 // indirect
+	cloud.google.com/go/iam v1.2.0 // indirect
+	cloud.google.com/go/kms v1.19.0 // indirect
+	cloud.google.com/go/longrunning v0.6.0 // indirect
+	cloud.google.com/go/storage v1.43.0 // indirect
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20240807094312-a32ad29eed79 // indirect
+	cuelang.org/go v0.10.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
+	github.com/IGLOU-EU/go-wildcard v1.0.3 // indirect
 	github.com/KeisukeYamashita/go-vcl v0.4.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
+	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
+	github.com/alibabacloud-go/tea v1.2.2 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.6 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.8 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aptible/supercronic v0.2.30 // indirect
+	github.com/aquilax/truncate v1.0.0 // indirect
 	github.com/argoproj/pkg v0.13.7-0.20230627120311-a4dd357b057e // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go v1.55.5 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.24 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240909191326-0ee4ec5d16bf // indirect
 	github.com/basgys/goxml2json v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
 	github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
-	github.com/bufbuild/protocompile v0.6.0 // indirect
+	github.com/bufbuild/protocompile v0.10.0 // indirect
+	github.com/buildkite/agent/v3 v3.78.0 // indirect
+	github.com/buildkite/go-pipeline v0.11.0 // indirect
+	github.com/buildkite/interpolate v0.1.3 // indirect
+	github.com/buildkite/roko v1.2.0 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.4.0 // indirect
 	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/coreos/go-oidc/v3 v3.11.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
 	github.com/cyphar/filepath-securejoin v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.5.0 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.4 // indirect
+	github.com/docker/cli v27.2.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v27.2.1+incompatible // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+	github.com/emicklei/proto v1.13.2 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect

</details>

---

## Dependency Review
<details><summary>Click to read mergecats review!</summary>

No suggestions found
</details>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djeebus djeebus djeebus left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MeNsaaH @zapier-sre-bot @djeebus