Merge pull request #30 from avoltz/mkandawires/sync-upstream-fix-CVE-…

…2023-39325 Sync to "upstream/master" to fix CVE-2023-39325/CVE-2023-3978
avoltz · Oct 26, 2023 · 5eee268 · 5eee268
2 parents 2f75e17 + 45dd0ab
commit 5eee268
Show file tree

Hide file tree

Showing 1,509 changed files with 104,560 additions and 39,713 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -44,7 +44,7 @@ jobs:
       id: go
 
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -8,7 +8,7 @@ jobs:
     name: Check for spelling errors
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@master
         with:
           check_filenames: true

diff --git a/.github/workflows/darwin.yaml b/.github/workflows/darwin.yaml
@@ -13,7 +13,7 @@ jobs:
           go-version: ^1.16
         id: go
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Build Test
         run: |
           make blob-darwin

diff --git a/.github/workflows/linux.yaml b/.github/workflows/linux.yaml
@@ -16,7 +16,7 @@ jobs:
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Run unit test
       run: |
@@ -25,7 +25,7 @@ jobs:
         sudo dpkg -i packages-microsoft-prod.deb
         sudo apt-get update
         sudo apt-get install blobfuse
-        make verify
+        go test -covermode=count -coverprofile=profile.cov ./pkg/...
 
     - name: Run build test
       run: |

diff --git a/.github/workflows/pluto.yaml b/.github/workflows/pluto.yaml
@@ -11,7 +11,7 @@ jobs:
     steps:
 
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Download pluto
       uses: FairwindsOps/pluto/github-action@master

diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
@@ -16,7 +16,7 @@ jobs:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Run ShellCheck
       uses: ludeeus/action-shellcheck@master
       env:

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -16,7 +16,7 @@ jobs:
         id: go
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Build an image from Dockerfile
         run: |

diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
@@ -16,7 +16,7 @@ jobs:
           go-version: ^1.16
         id: go
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Build Test
         run: |
           make blob-windows

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+CVE-2023-39325
+CVE-2023-44487
diff --git a/Makefile b/Makefile
@@ -17,7 +17,7 @@ GIT_COMMIT ?= $(shell git rev-parse HEAD)
 REGISTRY ?= andyzhangx
 REGISTRY_NAME ?= $(shell echo $(REGISTRY) | sed "s/.azurecr.io//g")
 IMAGE_NAME ?= blob-csi
-IMAGE_VERSION ?= v1.23.0
+IMAGE_VERSION ?= v1.24.0
 CLOUD ?= AzurePublicCloud
 # Use a custom version for E2E tests if we are in Prow
 ifdef CI
@@ -29,9 +29,10 @@ CSI_IMAGE_TAG ?= $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
 CSI_IMAGE_TAG_LATEST = $(REGISTRY)/$(IMAGE_NAME):latest
 BUILD_DATE ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 LDFLAGS ?= "-X ${PKG}/pkg/blob.driverVersion=${IMAGE_VERSION} -X ${PKG}/pkg/blob.gitCommit=${GIT_COMMIT} -X ${PKG}/pkg/blob.buildDate=${BUILD_DATE} -s -w -extldflags '-static'"
-E2E_HELM_OPTIONS ?= --set image.blob.pullPolicy=Always --set image.blob.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.blob.tag=$(IMAGE_VERSION) --set driver.userAgentSuffix="e2e-test"
 ifdef ENABLE_BLOBFUSE_PROXY
-override E2E_HELM_OPTIONS := $(E2E_HELM_OPTIONS) --set controller.logLevel=6 --set node.logLevel=6 --set node.enableBlobfuseProxy=true
+E2E_HELM_OPTIONS ?= --set image.blob.pullPolicy=Always --set image.blob.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.blob.tag=$(IMAGE_VERSION) --set driver.userAgentSuffix="e2e-test" --set controller.logLevel=6 --set node.logLevel=6 --set node.enableBlobfuseProxy=true
+else
+E2E_HELM_OPTIONS ?= --set image.blob.pullPolicy=Always --set image.blob.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.blob.tag=$(IMAGE_VERSION) --set driver.userAgentSuffix="e2e-test"
 endif
 E2E_HELM_OPTIONS += ${EXTRA_HELM_OPTIONS}
 GO111MODULE = on
@@ -111,13 +112,13 @@ blob: blobfuse-proxy
 blob-windows:
 	CGO_ENABLED=0 GOOS=windows go build -a -ldflags ${LDFLAGS} -mod vendor -o _output/blobplugin.exe ./pkg/blobplugin
 
-.PHONT: blob-darwin
+.PHONY: blob-darwin
 blob-darwin:
 	CGO_ENABLED=0 GOOS=darwin go build -a -ldflags ${LDFLAGS} -mod vendor -o _output/blobplugin ./pkg/blobplugin
 
 .PHONY: container
 container: blob
-	docker build -t $(CSI_IMAGE_TAG) --output=type=docker -f ./pkg/blobplugin/Dockerfile .
+	docker build -t $(CSI_IMAGE_TAG) --build-arg ARCH=$(ARCH) --output=type=docker -f ./pkg/blobplugin/Dockerfile .
 
 .PHONY: container-linux
 container-linux:
@@ -182,4 +183,4 @@ delete-metrics-svc:
 
 .PHONY: blobfuse-proxy
 blobfuse-proxy:
-	CGO_ENABLED=0 GOOS=linux go build -mod vendor -ldflags="-s -w" -o _output/${ARCH}/blobfuse-proxy ./pkg/blobfuse-proxy
+	CGO_ENABLED=0 GOOS=linux GOARCH=$(ARCH) go build -mod vendor -ldflags="-s -w" -o _output/${ARCH}/blobfuse-proxy ./pkg/blobfuse-proxy
diff --git a/OWNERS b/OWNERS
@@ -1,6 +1,5 @@
 reviewers:
 - andyzhangx
-- ZeroMagic
 - cvvz
 
 approvers:

diff --git a/README.md b/README.md
@@ -15,12 +15,12 @@ Disclaimer: Deploying this driver manually is not an officially supported Micros
 ### Project status: GA
 
 ### Container Images & Kubernetes Compatibility:
-|driver version  |Image                                                 | supported k8s version | built-in blobfuse v1 version | built-in blobfuse v2 version|
-|----------------|------------------------------------------------------|-----------------------|------------------------------| ----------------------------|
-|master branch   |mcr.microsoft.com/k8s/csi/blob-csi:latest             | 1.21+                 | 1.4.5                        | 2.0.3           |
-|v1.22.0         |mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.22.0 | 1.21+                 | 1.4.5                        | 2.0.3           |
-|v1.21.3         |mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.21.3 | 1.21+                 | 1.4.5                        | 2.0.3           |
-|v1.20.2         |mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.20.2 | 1.21+                 | 1.4.5                        | 2.0.3           |
+|driver version  |Image                                                 | supported k8s version |
+|----------------|------------------------------------------------------|-----------------------|
+|master branch   |mcr.microsoft.com/k8s/csi/blob-csi:latest             | 1.21+                 |
+|v1.23.0         |mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.23.0 | 1.21+                 |
+|v1.22.2         |mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.22.2 | 1.21+                 |
+|v1.21.4         |mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.21.4 | 1.21+                 |
 
 ### Driver parameters
 Please refer to `blob.csi.azure.com` [driver parameters](./docs/driver-parameters.md)
@@ -47,7 +47,7 @@ This option does not depend on cloud provider config file, supports cross subscr
 >
 > To install specific blobfuse v2 version, run following command directly after driver is running on the agent node:
 > ```console
-> kubectl patch daemonset csi-blob-node -n kube-system -p '{"spec":{"template":{"spec":{"initContainers":[{"env":[{"name":"INSTALL_BLOBFUSE2","value":"true"},{"name":"BLOBFUSE2_VERSION","value":"2.0.3"}],"name":"install-blobfuse-proxy"}]}}}}'
+> kubectl patch daemonset csi-blob-node -n kube-system -p '{"spec":{"template":{"spec":{"initContainers":[{"env":[{"name":"INSTALL_BLOBFUSE2","value":"true"},{"name":"BLOBFUSE2_VERSION","value":"2.1.0"}],"name":"install-blobfuse-proxy"}]}}}}'
 > ```
 >
  - install by [helm charts](./charts)
@@ -57,7 +57,6 @@ This option does not depend on cloud provider config file, supports cross subscr
    - [Azure RedHat OpenShift](https://github.com/ezYakaEagle442/aro-pub-storage/blob/master/setup-store-CSI-driver-azure-blob.md)
  - install managed CSI driver on following platforms:
    - [AKS](https://learn.microsoft.com/en-us/azure/aks/azure-blob-csi)
-   - [Azure RedHat OpenShift](https://github.com/ezYakaEagle442/aro-pub-storage/blob/master/setup-store-CSI-driver-azure-blob.md)
 
 ### Usage
  - [Basic usage](./deploy/example/e2e_usage.md)

diff --git a/charts/README.md b/charts/README.md
@@ -66,16 +66,16 @@ The following table lists the configurable parameters of the latest Azure Blob S
 | `image.blob.tag`                                      | blob-csi-driver docker image tag                      | `latest`                                                         |
 | `image.blob.pullPolicy`                               | blob-csi-driver image pull policy                     | `IfNotPresent`                                                   |
 | `image.csiProvisioner.repository`                     | csi-provisioner docker image                          | `mcr.microsoft.com/oss/kubernetes-csi/csi-provisioner`           |
-| `image.csiProvisioner.tag`                            | csi-provisioner docker image tag                      | `v3.5.0`                                                         |
+| `image.csiProvisioner.tag`                            | csi-provisioner docker image tag                      | `v3.6.1`                                                         |
 | `image.csiProvisioner.pullPolicy`                     | csi-provisioner image pull policy                     | `IfNotPresent`                                                   |
 | `image.livenessProbe.repository`                      | liveness-probe docker image                           | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe`             |
-| `image.livenessProbe.tag`                             | liveness-probe docker image tag                       | `v2.10.0`                                                         |
+| `image.livenessProbe.tag`                             | liveness-probe docker image tag                       | `v2.11.0`                                                         |
 | `image.livenessProbe.pullPolicy`                      | liveness-probe image pull policy                      | `IfNotPresent`                                                   |
 | `image.nodeDriverRegistrar.repository`                | csi-node-driver-registrar docker image                | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
-| `image.nodeDriverRegistrar.tag`                       | csi-node-driver-registrar docker image tag            | `v2.8.0`                                                      |
+| `image.nodeDriverRegistrar.tag`                       | csi-node-driver-registrar docker image tag            | `v2.9.0`                                                      |
 | `image.nodeDriverRegistrar.pullPolicy`                | csi-node-driver-registrar image pull policy           | `IfNotPresent`                                                   |
 | `image.csiResizer.repository`                         | csi-resizer docker image                              | `mcr.microsoft.com/oss/kubernetes-csi/csi-resizer`               |
-| `image.csiResizer.tag`                                | csi-resizer docker image tag                          | `v1.8.0`                                                         |
+| `image.csiResizer.tag`                                | csi-resizer docker image tag                          | `v1.9.1`                                                         |
 | `image.csiResizer.pullPolicy`                         | csi-resizer image pull policy                         | `IfNotPresent`                                                   |
 | `imagePullSecrets`                                    | Specify docker-registry secret names as an array      | [] (does not add image pull secrets to deployed pods)          |
 | `cloud`                                               | the cloud environment the driver is running on        | `AzurePublicCloud`                                               |
@@ -148,6 +148,7 @@ The following table lists the configurable parameters of the latest Azure Blob S
 | `linux.distro`                                        | configure ssl certificates for different Linux distribution(available values: `debian`, `fedora`)             | `debian`
 | `workloadIdentity.clientID` | client ID of workload identity | ''
 | `workloadIdentity.tenantID` | [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster then set tenantID with the AAD application or user-assigned managed identity tenant ID | ''
+| `node.enableAznfsMount` | enable [AZNFS mount helper](https://github.com/Azure/AZNFS-mount/) for NFS protocol | true
 
 ## troubleshooting
  - Add `--wait -v=5 --debug` in `helm install` command to get detailed error