[release-1.0] OCPBUGS-22347: address CVE-2023-44487

[alebedev87]

Backport of https://github.com/openshift/external-dns-operator/pull/204:

• bump x/net v0.17.0
• bump sigs.k8s.io/controller-runtime v0.12.3 (TLSOpts for webhook)
• bump operand image
• disable HTTP/2 for kube-rbac-proxy container
• disable HTTP/2 for webhook server

[openshift-ci-robot]

@alebedev87: This pull request references Jira Issue OCPBUGS-22347, which is valid.

4 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST) * dependent bug [Jira Issue OCPBUGS-22348](https://issues.redhat.com//browse/OCPBUGS-22348) is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA)) * bug has dependents

Requesting review from QA contact: /cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/external-dns-operator/pull/208): >Backport of https://github.com/openshift/external-dns-operator/pull/204: >- bump controller-runtime v0.12.3 >- disable HTTP/2 for kube-rbac-proxy container >- disable HTTP/2 for webhook server Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[alebedev87]

/retitle [WIP] [release-1.0] OCPBUGS-22347: address https://github.com/advisories/GHSA-qppj-fm5r-hxr3

Waiting for https://github.com/openshift/external-dns/pull/56 to be merged.

[melvinjoseph86]

Verified using clusterbot melvinjoseph@mjoseph-mac Downloads % oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.test-2023-12-13-071635-ci-ln-8dm452k-latest True False 138m Cluster version is 4.12.0-0.test-2023-12-13-071635-ci-ln-8dm452k-latest

melvinjoseph@mjoseph-mac Downloads % oc get csv NAME DISPLAY VERSION REPLACES PHASE external-dns-operator.v1.0.0 ExternalDNS Operator 1.0.0 Succeeded melvinjoseph@mjoseph-mac Downloads % oc get sub NAME PACKAGE SOURCE CHANNEL oo-rppfr external-dns-operator oo-q5m9w stable-v1.0 melvinjoseph@mjoseph-mac Downloads % oc get po NAME READY STATUS RESTARTS AGE external-dns-operator-84c4558f86-nvbpt 2/2 Running 0 55m oo-q5m9w-kjffh 1/1 Running 0 55m

melvinjoseph@mjoseph-mac Downloads % oc get po external-dns-operator-84c4558f86-nvbpt -oyaml
apiVersion: v1 items: <----snip-----> spec: containers:

• args:
  • --metrics-bind-address=127.0.0.1:8080
  • --operator-namespace=$(OPERATOR_NAMESPACE)
  • --operand-namespace=$(OPERATOR_NAMESPACE)
  • --externaldns-image=$(RELATED_IMAGE_EXTERNAL_DNS)
  • --trusted-ca-configmap=$(TRUSTED_CA_CONFIGMAP_NAME)
  • --leader-elect
  • --webhook-disable-http2 <-----snip----->
• args:
  • --secure-listen-address=0.0.0.0:8443
  • --upstream=http://127.0.0.1:8080/
  • --logtostderr=true
  • --v=10
  • --tls-cert-file=/var/run/secrets/serving-cert/tls.crt
  • --tls-private-key-file=/var/run/secrets/serving-cert/tls.key
  • --http2-disable <-----snip----->

[melvinjoseph86]

/label qe-approved

[alebedev87]

/retitle [release-1.0] OCPBUGS-22347: address CVE-2023-44487

The operand image was bumped thanks to the mirroring config.

[openshift-ci[bot]]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[gcs278]

/assign

[gcs278]

No issue, just curiosity /lgtm /approve

[alebedev87]

/approve

While waiting for https://github.com/openshift/external-dns-operator/pull/212.

works?

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87, gcs278

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/external-dns-operator/blob/release-1.0/OWNERS)~~ [alebedev87] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[openshift-ci-robot]

@alebedev87: Jira Issue OCPBUGS-22347: All pull requests linked via external trackers have merged:

• openshift/external-dns#56
• openshift/external-dns-operator#208

Jira Issue OCPBUGS-22347 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/external-dns-operator/pull/208): >Backport of https://github.com/openshift/external-dns-operator/pull/204: >- bump `x/net` `v0.17.0` >- bump sigs.k8s.io/controller-runtime v0.12.3 (TLSOpts for webhook) >- bump operand image >- disable HTTP/2 for kube-rbac-proxy container >- disable HTTP/2 for webhook server Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.