Closed enekofb closed 1 year ago
A suggested plan could be:
1) Tactic: to restore the functionality in next release by having available the binary.
There are two directions
in any case, we should engage with @foot for both visibility and to verify what this change means for Azure marketplace. I could image that if the image passes the vulnerability scanner, we are good to go.
2) find whether this is the best-balanced alternative we have available. some could be:
3) implement 2)
4) ensure regressions are tested
Oh no! Yeah this was the image base change. Sorry about that.
We're trying to understand Azure's CVE policy at the moment, its a bit strict. Alpine has been flagged by Azure every time we try and publish (openssl issues), so switching to distroless helped there.
If we need all those libs etc maybe its better to switch back to alpine though. There is another PR up to keep our openssl up to date when building https://github.com/weaveworks/weave-gitops-enterprise/pull/2961 which will hopefully help too.
Testing branch in fluxga environment
~ $ which gpg
/usr/bin/gpg
~ $ gpg --version
gpg (GnuPG) 2.4.1
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: //.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
~ $
{"level":"error","ts":"2023-06-20T14:06:43.575Z","msg":"server error","error":"failed to encrypt secret: exit status 2"}
{"level":"info","ts":"2023-06-20T14:06:43.575Z","msg":"server error","uri":"/v1/encrypt-sops-secret","status":500}
With latest in the branch how it works
tested for vulnerabilities
➜ weave-gitops-enterprise git:(add-gpg-to-wge-eneko) ✗ docker scan --accept-license docker.io/weaveworks/weave-gitops-enterprise-clusters-service:add-gpg-to-wge-eneko-0550d01e-WIP
Testing docker.io/weaveworks/weave-gitops-enterprise-clusters-service:add-gpg-to-wge-eneko-0550d01e-WIP...
Package manager: apk
Project name: docker-image|docker.io/weaveworks/weave-gitops-enterprise-clusters-service
Docker image: docker.io/weaveworks/weave-gitops-enterprise-clusters-service:add-gpg-to-wge-eneko-0550d01e-WIP
Platform: linux/arm64
✔ Tested 50 dependencies for known vulnerabilities, no vulnerable paths found.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
WGE release: v0.25.0
Priority
Severity
Describe the bug Initially found here here Where in the context of addressing CVEs found for WGE and Azure Marketplace We changed the clusters-service base image
Given that create sops secret journey relies on having the gpg binary When excercised the journey we get the following error
To Reproduce
Actual behaviour
gpg binary not found
Expected behaviour
Additional context