search

siddhi-io / siddhi-operator

Operator allows you to run stream processing logic directly on a Kubernetes cluster
Apache License 2.0
17 stars 12 forks source link

Security Issues in siddhi operator Image due to older golang versions. #134

Closed rithikb24 closed 2 years ago

rithikb24 commented 2 years ago

When Siddhi Operator image is scanned using Jfrog, many high level vulnerabilities arise.

Mostly, these arose due the older goland versions, To resolve these I need help to rebuild the image using newer goland versions.

Current Documentation related to build image from source isn't working, any help would be appreciated!

BuddhiWathsala commented 2 years ago

@rithikb24 what is the error you got when you build the operator?. Could you please share the log?. And also I want to know the Golang version of your machine.

rithikb24 commented 2 years ago

@BuddhiWathsala I followed the steps mentioned under building from source. 

$ mkdir $GOPATH/src/github.com/siddhi-io
$ cd $GOPATH/src/github.com/siddhi-io
$ git clone https://github.com/siddhi-io/siddhi-operator.git
golang version - go version go1.17.6 linux/amd64

operator-sdk version  - operator-sdk version: "v1.10.1-ocp", commit: "dd3b0175211f71218065b34d7f066860599b648a", kubernetes version: "v1.21", go version: "go1.16.6", GOOS: "linux", GOARCH: "amd64

here's the log when I try to run my command operator-sdk build rithik24/greendecj:siddhioperator

Error: unknown command "build" for "operator-sdk"
Run 'operator-sdk --help' for usage.
FATA[0000] unknown command "build" for "operator-sdk"

image

BuddhiWathsala commented 2 years ago

The quick answer is, operator-sdk has changed their build procedure recently. So, you have to follow these steps to build the siddhi-operator with a new operator-sdk installation. https://sdk.operatorframework.io/docs/building-operators/golang/quickstart/#steps

rithikb24 commented 2 years ago

@BuddhiWathsala new operator-sdk installation just provides me the new template. I am not sure about how to migrate siddhi to the operator-sdk installation.

Could you help out with this?

Otherwise, I think an easier solution might be to use older operator-sdk release to build it again, I just want to upgrade golang version.

BuddhiWathsala commented 2 years ago

Older operator-sdk with a new Golang version would also work, and I think it would be the easiest approach. I'll try this with the new operator-sdk and let you know as well.

rithikb24 commented 2 years ago

@BuddhiWathsala okay thank you so much. I will keep trying using older operator-sdk from my end. Looking forward to hear from you.

rithikb24 commented 2 years ago

@BuddhiWathsala

I am using https://github.com/operator-framework/operator-sdk/releases/tag/v0.14.1 from 2020

These are the logs after I ran

operator-sdk build rithik24/greendecj:siddhioperator

pkg/apis/nats/v1alpha2/cluster.go:30:2: no required module provides package github.com/nats-io/nats-operator/pkg/constants; to add it:
    go get github.com/nats-io/nats-operator/pkg/constants
cmd/manager/main.go:33:2: missing go.sum entry for module providing package github.com/operator-framework/operator-sdk/pkg/k8sutil (imported by github.com/siddhi-io/siddhi-operator/cmd/manager); to add:
    go get github.com/siddhi-io/siddhi-operator/cmd/manager
cmd/manager/main.go:34:2: missing go.sum entry for module providing package github.com/operator-framework/operator-sdk/pkg/leader (imported by github.com/siddhi-io/siddhi-operator/cmd/manager); to add:
    go get github.com/siddhi-io/siddhi-operator/cmd/manager
cmd/manager/main.go:35:2: missing go.sum entry for module providing package github.com/operator-framework/operator-sdk/pkg/log/zap (imported by github.com/siddhi-io/siddhi-operator/cmd/manager); to add:
    go get github.com/siddhi-io/siddhi-operator/cmd/manager
cmd/manager/main.go:36:2: missing go.sum entry for module providing package github.com/operator-framework/operator-sdk/pkg/metrics (imported by github.com/siddhi-io/siddhi-operator/cmd/manager); to add:
    go get github.com/siddhi-io/siddhi-operator/cmd/manager
cmd/manager/main.go:28:2: missing go.sum entry for module providing package github.com/operator-framework/operator-sdk/version (imported by github.com/siddhi-io/siddhi-operator/cmd/manager); to add:
    go get github.com/siddhi-io/siddhi-operator/cmd/manager
Error: failed to build operator binary: (failed to exec []string{"go", "build", "-o", "/home/rithik/siddhi-operator/build/_output/bin/siddhi-operator", "-gcflags", "all=-trimpath=/home/rithik", "-asmflags", "all=-trimpath=/home/rithik", "github.com/siddhi-io/siddhi-operator/cmd/manager"}: exit status 1)
Usage:
  operator-sdk build <image> [flags]

Flags:
      --go-build-args string      Extra Go build arguments as one string such as "-ldflags -X=main.xyz=abc"
  -h, --help                      help for build
      --image-build-args string   Extra image build arguments as one string such as "--build-arg https_proxy=$https_proxy"
      --image-builder string      Tool to build OCI images. One of: [docker, podman, buildah] (default "docker")

Global Flags:
      --verbose   Enable verbose logging

after running go get github.com/nats-io/nats-operator/pkg/constants

go get: github.com/nats-io/nats-operator@v0.8.3 requires
    k8s.io/apiextensions-apiserver@v0.0.0: reading k8s.io/apiextensions-apiserver/go.mod at revision v0.0.0: unknown revision v0.0.0

What Should be my exact steps after cloning the repo? Currently, if I run operator-sdk build command directly, it gives GOPATH error.

So I run, 

go mod init example.com
go mod tidy

then I got the above mentioned logs.

BuddhiWathsala commented 2 years ago

Did you create the directory structure $GOPATH/github.com/siddhi-io/siddhi-operator in your GOPATH and clone the project in there, when you were building this project.

rithikb24 commented 2 years ago

@BuddhiWathsala Yes, I had.

rithikb24 commented 2 years ago

@BuddhiWathsala could you try building the image with older operator and newer golang versions? using this operator - https://github.com/operator-framework/operator-sdk/releases/tag/v0.14.1

rithikb24 commented 2 years ago

@mohanvive @BuddhiWathsala @suhothayan @maheshika could anyone help with this?

BuddhiWathsala commented 2 years ago

This was an issue that occurred during the resolution of the nats-operator dependency. This automatically gets the latest nats version which has some problems rather than resolving the exact nats operator version (v0.5.0) which we need. I fixed it in here,

https://github.com/BuddhiWathsala/siddhi-operator

Please try to build that, and see.

rithikb24 commented 2 years ago

@BuddhiWathsala I was able to build the image now, thanks a lot for your help!