This adds the ability to accept sigstore signatures signed by any key from a set of several (huge thanks to @dcermak and @danishprakash for doing almost all the work), and Rekor log presence proofs signed by any key from a set of several keys.
By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
to do the necessary "partial lookups", Open(at)InRoot now does less work
for both implementations (resulting in a many-fold decrease in the number of
operations for openat2, and a modest improvement for non-openat2) and is
far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
behaviour.
We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
effectively just means that we no longer risk getting spurious errors during
rename races. However, for our hardened procfs handler, this in theory should
prevent mount attacks from tricking us when doing magic-link readlinks (even
when using the unsafe host /proc handle). Unfortunately Reopen is still
potentially vulnerable to those kinds of somewhat-esoteric attacks.
Several improvements were made to the errors returned by Open(at)InRoot and
MkdirAll when dealing with invalid paths under the emulated (ie.
non-openat2) implementation. Previously, some paths would return the wrong
error (ENOENT when the last component was a non-directory), and other paths
would be returned as though they were acceptable (trailing-slash components
after a non-directory would be ignored by Open(at)InRoot).
These changes were done to match openat2's behaviour and purely is a
consistency fix (most users are going to be using openat2 anyway).
However, it does introduce a new *os.File-based API which is much safer
to use for most usecases. These are adapted from [libpathrs][1] and are
the bare minimum to be able to operate more safely on an untrusted
rootfs where an attacker has write access (something that SecureJoin
cannot protect against). The new APIs are:
OpenInRoot, which resolves a path inside a rootfs and returns an
*os.File handle to the path. Note that the file handle returned by
OpenInRoot is an O_PATH handle, which cannot be used for reading or
writing (as well as some other operations -- see open(2) for more
details).
Reopen, which takes an O_PATH file handle and safely re-opens it to
"upgrade" it to a regular handle.
By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
to do the necessary "partial lookups", Open(at)InRoot now does less work
for both implementations (resulting in a many-fold decrease in the number of
operations for openat2, and a modest improvement for non-openat2) and is
far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
behaviour.
We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
effectively just means that we no longer risk getting spurious errors during
rename races. However, for our hardened procfs handler, this in theory should
prevent mount attacks from tricking us when doing magic-link readlinks (even
when using the unsafe host /proc handle). Unfortunately Reopen is still
potentially vulnerable to those kinds of somewhat-esoteric attacks.
Several improvements were made to the errors returned by Open(at)InRoot and
MkdirAll when dealing with invalid paths under the emulated (ie.
non-openat2) implementation. Previously, some paths would return the wrong
error (ENOENT when the last component was a non-directory), and other paths
would be returned as though they were acceptable (trailing-slash components
after a non-directory would be ignored by Open(at)InRoot).
These changes were done to match openat2's behaviour and purely is a
consistency fix (most users are going to be using openat2 anyway).
[0.3.0] - 2024-07-11
Added
A new set of *os.File-based APIs have been added. These are adapted from
[libpathrs][] and we strongly suggest using them if possible (as they provide
far more protection against attacks than SecureJoin):
Open(at)InRoot resolves a path inside a rootfs and returns an *os.File
handle to the path. Note that the handle returned is an O_PATH handle,
which cannot be used for reading or writing (as well as some other
operations -- [see open(2) for more details][open.2])
Reopen takes an O_PATH file handle and safely re-opens it to upgrade
it to a regular handle. This can also be used with non-O_PATH handles,
but O_PATH is the most obvious application.
MkdirAll is an implementation of os.MkdirAll that is safe to use to
Flux v2.3.0 is a feature release. Users are encouraged to upgrade for the best experience.
For a compressive overview of new features and API changes included in this release, please refer to the Announcing Flux 2.3 GA blog post.
This release marks the General Availability (GA) of Flux Helm features and APIs, including helm-controller, the HelmRelease, HelmChart, and HelmRepository APIs.
The HelmRepository v2 API comes with new features, such as the ability to reference Helm charts from OCIRepository sources, reuse existing HelmChart resources, and verify the integrity of Helm chart artifacts signed with Notary Notation.
❤️ Big thanks to all the Flux contributors that helped us with this release!
Kubernetes compatibility
This release is compatible with the following Kubernetes versions:
Kubernetes version
Minimum required
v1.28
>= 1.28.0
v1.29
>= 1.29.0
v1.30
>= 1.30.0
[!NOTE]
Note that the Flux project offers support only for the latest three minor versions of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors such as
ControlPlane that provide enterprise support for Flux.
API changes
HelmRelease v2
The HelmRelease kind was promoted from v2beta2 to v2 (GA).
The v2 API is backwards compatible with v2beta2, with the exception of the deprecated fields which have been removed.
Removed fields:
.spec.chart.spec.valuesFile replaced by .spec.chart.spec.valuesFiles.
.spec.postRenderers.kustomize.patchesJson6902 replaced by .spec.postRenderers.kustomize.patches.
.spec.postRenderers.kustomize.patchesStrategicMerge replaced by .spec.postRenderers.kustomize.patches.
.status.lastAppliedRevision replaced by .status.history.chartVersion.
New fields:
.spec.chartRef allows referencing chart artifacts from OCIRepository and HelmChart objects.
.spec.chart.spec.ignoreMissingValuesFiles allows ignoring missing values files instead of failing to reconcile.
HelmChart v1
... (truncated)
Commits
896e0fa Merge pull request #4785 from fluxcd/dependabot/github_actions/ci-f6abfb4cf0
8d75df8 build(deps): bump the ci group with 3 updates
dd7ef7d Merge pull request #4766 from fluxcd/reconcile-hr-with-chartref
5feee5c Add support for creating HR with .spec.ChartRef
0d0285a Enable reconciling HelmReleases with ChartRef
86b3581 Merge pull request #4783 from fluxcd/conformance-tests
Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.
The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the security documentation.
Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.
The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the security documentation.
Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.
The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the security documentation.
This minor release comes with new features, improvements and bug fixes.
The controller has been updated to Kustomize v5.4, please see the
kubernetes-sigs/kustomizechangelog
for more details.
The Flux Kustomization API gains two optional fields .spec.namePrefix and .spec.nameSuffix
that can be used to specify a prefix and suffix to be added to the names
of all managed resources.
The controller now supports the --feature-gates=StrictPostBuildSubstitutions=true
flag, when enabled the post-build substitutions will fail if a
variable without a default value is declared in files but is
missing from the input vars.
When using variable substitution with values that are numbers or booleans,
it is now possible to covert the values to strings, for more details see the
post-build documentation.
In addition, the controller dependencies have been updated to Kubernetes v1.30
and controller-runtime v0.18. Various other dependencies have also been updated to
their latest version to patch upstream CVEs.
Bumps the go group with 13 updates in the / directory:
3.2.1
3.3.0
5.23.0
5.32.2
2.0.0-rc.3
2.3.0
1.4.3
1.4.5
0.0.0-20230713123140-269aa4fb1338
0.4.3
0.9.0
0.12.1
0.4.0
0.6.1
0.7.0
0.9.1
0.11.0
0.13.1
0.2.0
0.4.0
1.8.0
1.8.1
0.35.0
0.37.2
0.2.0
0.4.0
Updates
github.com/Masterminds/semver/v3
from 3.2.1 to 3.3.0Release notes
Sourced from github.com/Masterminds/semver/v3's releases.
Changelog
Sourced from github.com/Masterminds/semver/v3's changelog.
Commits
e6e3d4d
Merge pull request #249 from mattfarina/update-changelog-3.3.0e80c4ea
Updating changelog for 3.3.080427ad
Merge pull request #248 from mattfarina/bump-min-versionb610837
bumping min version in go.mod based on what's testeda4cccd8
Merge pull request #246 from mattfarina/bump-go-1.237c178cf
Updating the testing version of Go used29f94c1
Merge pull request #241 from grosser/grosser/validate2cf1b16
Merge pull request #245 from mattfarina/remove-vertb55476a
Removing reference to vertd07450b
simplify StrictNewVersionUpdates
github.com/containers/image/v5
from 5.23.0 to 5.32.2Release notes
Sourced from github.com/containers/image/v5's releases.
... (truncated)
Commits
0b425a4
Release 5.32.22a87b21
Support accepting multiple Rekor public keys95c0635
Add fieldKeyPaths
andKeyDatas
toprSigstoreSigned
d42de59
Split verifySigstorePayloadBlobSignature from VerifySigstorePayloada5ea016
Use loadBytesFromConfigSources in prSignedBy.isSignatureAuthorAccepted03550b4
Turn loadBytesFromDataOrPath into loadBytesFromConfigSourcesc0c8d34
Use InvalidPolicyFormatError for invalid sigstore options4bcaca1
Merge pull request #2511 from mtrmac/5.32-versionc94eadb
Fix the version number6a17c28
Merge pull request #2508 from mtrmac/5.32-zstdUpdates
github.com/cyphar/filepath-securejoin
from 0.2.4 to 0.3.1Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
... (truncated)
Changelog
Sourced from github.com/cyphar/filepath-securejoin's changelog.
... (truncated)
Commits
ce7b28a
VERSION: release v0.3.1a2c14f8
CHANGELOG: add readlinkat(fd, "") shout-out4ea279f
merge #22 into cyphar/filepath-securejoin:main16e1bec
CHANGELOG: add initial changelog with current history2404ffb
merge #21 into cyphar/filepath-securejoin:mainf29b7a4
lookup: handle // and trailing slash components correctlyecd61ca
merge #19 into cyphar/filepath-securejoin:main38b1220
procfs: refactor statx mnt_id logic45c4415
procfs: use readlink(fd, "") for magic-linksedab538
merge #17 into cyphar/filepath-securejoin:mainUpdates
github.com/fatih/color
from 1.15.0 to 1.16.0Release notes
Sourced from github.com/fatih/color's releases.
Commits
0f9779e
Merge pull request #213 from fatih/dependabot/go_modules/golang.org/x/sys-0.14.00c78604
Bump golang.org/x/sys from 0.13.0 to 0.14.096e0f73
Merge pull request #208 from fatih/dependabot/github_actions/actions/checkout-44c66e32
Bump actions/checkout from 3 to 42fb03d6
Merge pull request #202 from fatih/dependabot/github_actions/actions/setup-go-48ba7bbd
Bump actions/setup-go from 3 to 4e3f97f3
Merge pull request #209 from fatih/dependabot/go_modules/golang.org/x/sys-0.13.0e146575
Bump golang.org/x/sys from 0.10.0 to 0.13.0d2d7a5e
Merge pull request #212 from fatih/dependabot/go_modules/github.com/mattn/go-...f3e45da
Merge branch 'main' into dependabot/go_modules/github.com/mattn/go-isatty-0.0.20Updates
github.com/fluxcd/flux2/v2
from 2.0.0-rc.3 to 2.3.0Release notes
Sourced from github.com/fluxcd/flux2/v2's releases.
... (truncated)
Commits
896e0fa
Merge pull request #4785 from fluxcd/dependabot/github_actions/ci-f6abfb4cf08d75df8
build(deps): bump the ci group with 3 updatesdd7ef7d
Merge pull request #4766 from fluxcd/reconcile-hr-with-chartref5feee5c
Add support for creating HR with .spec.ChartRef0d0285a
Enable reconciling HelmReleases with ChartRef86b3581
Merge pull request #4783 from fluxcd/conformance-tests32804f6
ci: Consolidate conformance tests070fa0f
Merge pull request #4781 from fluxcd/drop-kubernetes-eol9ef9464
Update kubectl to 1.30.0 in flux-cli imaged8e6199
Set Kubernetes 1.28 as min required versionUpdates
github.com/fluxcd/go-git-providers
from 0.18.1-0.20230706132206-211750e8915d to 0.20.1Release notes
Sourced from github.com/fluxcd/go-git-providers's releases.
Commits
Updates
github.com/fluxcd/kustomize-controller/api
from 1.1.0 to 1.3.0Release notes
Sourced from github.com/fluxcd/kustomize-controller/api's releases.
... (truncated)
Changelog
Sourced from github.com/fluxcd/kustomize-controller/api's changelog.
... (truncated)
Commits
83fbfee
Merge pull request #1157 from fluxcd/release-v1.3.0458d7e2
Release v1.3.04a02b3f
Add changelog entry for v1.3.0882f6a7
Merge pull request #1154 from fluxcd/dependabot/github_actions/ci-b23e0286c6dfcd4ed
Merge pull request #1155 from fluxcd/source-controller-1.3.0e81120a
build(deps): bump actions/setup-go from 5.0.0 to 5.0.1 in the ci group780954f
Update source-controller API to v1.3.099792de
Merge pull request #1152 from dipti-pai/remove-deprecated-aad-podidentity-reffc663de
Remove references aad pod identityf0f9b03
Merge pull request #1149 from fluxcd/dependabot/github_actions/ci-cfa2b75493Updates
github.com/fluxcd/pkg/apis/meta
from 1.1.2 to 1.5.0Commits
e32ccc2
Merge pull request #763 from fluxcd/kubernetes-1.302b974af
Update sigs.k8s.io/controller-tools to v0.15.052c1fc5
Update sigs.k8s.io/controller-runtime to v0.18.0c906252
Update dependencies to Kubernetes 1.3092c1348
Merge pull request #764 from fluxcd/dependabot/github_actions/ci-e44cfae560ccb916a
build(deps): bump the ci group with 3 updates6081556
Merge pull request #761 from fluxcd/kustomize-name-prefix-suffixabf5675
kustomize: Add support fornamePrefix
andnameSuffix
98d2522
Merge pull request #760 from fluxcd/dependabot/github_actions/ci-8f082d4f6defcd824
build(deps): bump docker/setup-buildx-action in the ci groupUpdates
github.com/fluxcd/pkg/git
from 0.11.0 to 0.19.0Commits
e32ccc2
Merge pull request #763 from fluxcd/kubernetes-1.302b974af
Update sigs.k8s.io/controller-tools to v0.15.052c1fc5
Update sigs.k8s.io/controller-runtime to v0.18.0c906252
Update dependencies to Kubernetes 1.3092c1348
Merge pull request #764 from fluxcd/dependabot/github_actions/ci-e44cfae560ccb916a
build(deps): bump the ci group with 3 updates6081556
Merge pull request #761 from fluxcd/kustomize-name-prefix-suffixabf5675
kustomize: Add support fornamePrefix
andnameSuffix
98d2522
Merge pull request #760 from fluxcd/dependabot/github_actions/ci-8f082d4f6defcd824
build(deps): bump docker/setup-buildx-action in the ci groupUpdates
github.com/fluxcd/pkg/git/gogit
from 0.8.1 to 0.19.0Commits
e32ccc2
Merge pull request #763 from fluxcd/kubernetes-1.302b974af
Update sigs.k8s.io/controller-tools to v0.15.052c1fc5
Update sigs.k8s.io/controller-runtime to v0.18.0c906252
Update dependencies to Kubernetes 1.3092c1348
Merge pull request #764 from fluxcd/dependabot/github_actions/ci-e44cfae560ccb916a
build(deps): bump the ci group with 3 updates6081556
Merge pull request #761 from fluxcd/kustomize-name-prefix-suffixabf5675
kustomize: Add support fornamePrefix
andnameSuffix
98d2522
Merge pull request #760 from fluxcd/dependabot/github_actions/ci-8f082d4f6defcd824
build(deps): bump docker/setup-buildx-action in the ci groupUpdates
github.com/fluxcd/pkg/kustomize
from 1.3.4 to 1.11.0Commits
3790516
Merge pull request #767 from fluxcd/up-internal-deps37ea30c
Update internal dependenciese32ccc2
Merge pull request #763 from fluxcd/kubernetes-1.302b974af
Update sigs.k8s.io/controller-tools to v0.15.052c1fc5
Update sigs.k8s.io/controller-runtime to v0.18.0c906252
Update dependencies to Kubernetes 1.3092c1348
Merge pull request #764 from fluxcd/dependabot/github_actions/ci-e44cfae560ccb916a
build(deps): bump the ci group with 3 updates6081556
Merge pull request #761 from fluxcd/kustomize-name-prefix-suffixabf5675
kustomize: Add support fornamePrefix
andnameSuffix
Updates
github.com/fluxcd/pkg/ssa
from 0.28.2 to 0.39.1Commits
adcfcbe
Merge pull request #769 from fluxcd/controller-runtime-v0.18.10e74a82
Update runtime pkg docsb329d92
Update dependencies to controller-runtime v0.18.1d0bf8ed
Merge pull request #768 from fluxcd/dependabot/github_actions/ci-b93eff89fb14f05d7
build(deps): bump actions/checkout from 4.1.3 to 4.1.4 in the ci group3790516
Merge pull request #767 from fluxcd/up-internal-deps37ea30c
Update internal dependenciese32ccc2
Merge pull request #763 from fluxcd/kubernetes-1.302b974af
Update sigs.k8s.io/controller-tools to v0.15.052c1fc5
Update sigs.k8s.io/controller-runtime to v0.18.0Updates
github.com/fluxcd/source-controller/api
from 1.1.0 to 1.3.0Release notes
Sourced from
Mend Scan Summary: :x:
Repository: open-component-model/MPAS
Detailed Logs: mend-scan-> Generate Report Mend UI