Develop

.github/actions/k3s-cluster/action.yaml

@@ -13,16 +13,16 @@ inputs:
 outputs:
   kubeconfig:
     description: Path to kubeconfig file
-    value: ${{ steps.set-output.outputs.kubeconfig }}
+    value: ${{ steps.set-versions.outputs.kubeconfig }}
   k3s-version:
     description: "Installed k3s version, such as v1.20.0+k3s2"
-    value: "${{ steps.set-output.outputs.k3s-version }}"
+    value: "${{ steps.set-versions.outputs.k3s-version }}"
   k8s-version:
     description: "Installed k8s version, such as v1.20.0"
-    value: "${{ steps.set-output.outputs.k8s-version }}"
+    value: "${{ steps.set-versions.outputs.k8s-version }}"
   helm-version:
     description: "Installed helm version, such as v3.4.2"
-    value: "${{ steps.set-output.outputs.helm-version }}"
+    value: "${{ steps.set-versions.outputs.helm-version }}"
 
 runs:
   using: "composite"
@@ -49,12 +49,12 @@ runs:
       shell: bash
 
     - name: Set version output
-      id: set-output
+      id: set-versions
       run: |
         echo "::group::Set version output"
-        echo "::set-output name=kubeconfig::$HOME/.kube/config"
-        echo "::set-output name=k3s-version::$(k3s --version | sed 's/.*\(v[0-9][^ ]*\).*/\1/')"
-        echo "::set-output name=k8s-version::$(k3s --version | sed 's/.*\(v[0-9][^+]*\).*/\1/')"
+        echo "kubeconfig=$HOME/.kube/config" >> $GITHUB_OUTPUT
+        echo "k3s-version=$(k3s --version | grep 'k3s' | sed 's/.*\(v[0-9][^ ]*\).*/\1/')" >> $GITHUB_OUTPUT
+        echo "k8s-version=$(k3s --version | grep 'k3s' | sed 's/.*\(v[0-9][^+]*\).*/\1/')" >> $GITHUB_OUTPUT
         echo "::endgroup::"
       shell: bash
 

.github/actions/safety/action.yaml

@@ -4,7 +4,9 @@ runs:
   using: "composite"
   steps:
     - name: Install packages
-      run: pip3 install -r requirements_dev.txt
+      run: |
+        pip3 install --upgrade pip
+        pip3 install -r requirements_dev.txt
       shell: sh
     - name: Freeze packages
       run: pip3 freeze > actual_package_versions.txt

.github/workflows/cicd.yaml

@@ -9,6 +9,10 @@ on:
       - master
       - develop
 
+# Reduce default permission of GITHUB_TOKEN to nothing
+# Repository can still be checked out during these jobs
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -68,7 +72,9 @@ jobs:
       - uses: actions/checkout@v3
       - name: Install packages
         # Since we run inside an alpine based container, we cannot compile yarl and multidic
-        run: YARL_NO_EXTENSIONS=1 MULTIDICT_NO_EXTENSIONS=1 pip3 install -r requirements_dev.txt
+        run: |
+          pip3 install --upgrade pip
+          YARL_NO_EXTENSIONS=1 MULTIDICT_NO_EXTENSIONS=1 pip3 install -r requirements_dev.txt
       - name: Lint
         run: pylint --ignore-patterns=tests,coverage connaisseur
 
@@ -79,7 +85,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Install packages
-        run: pip3 install -r requirements_dev.txt && pip3 install .
+        run: |
+          apt update && apt install gcc build-essential -y
+          pip3 install --upgrade pip
+          pip3 install -r requirements_dev.txt && pip3 install .
       - name: Install Git and curl
         run: apt update && apt install -y git curl
       - name: Test
@@ -88,7 +97,6 @@ jobs:
         uses: codecov/[email protected]
         with:
           file: coverage.xml
-          fail_ci_if_error: true
 
   bandit:
     runs-on: ubuntu-latest
@@ -212,6 +220,7 @@ jobs:
             "deployment",
             "pre-config",
             "other-ns",
+            "configured-cert",
           ]
     services:
       alerting-endpoint:
@@ -229,7 +238,7 @@ jobs:
       - uses: ./.github/actions/k8s-version-config
         name: Setup k8s cluster
         with:
-          k8s-version: v1.22
+          k8s-version: v1.25
       - name: Set environment variables for alerting listener
         run: |
           CONTAINER=$(docker container ls --no-trunc --format "{{json . }}" | jq ' . | select(.Image|match("alerting-endpoint"))')
@@ -261,12 +270,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s-version:
-          [
-            "v1.16",
-            "v1.17",
-            "v1.18",
-            "v1.19",
+        k8s-version: [
             "v1.20",
             "v1.21",
             "v1.22",
@@ -302,6 +306,47 @@ jobs:
           kubectl logs -n connaisseur -lapp.kubernetes.io/name=connaisseur --prefix=true
         shell: bash
 
+  k8s-legacy-versions:
+    # k3s with older versions doesn't play with newer kernel, so we're running those on deprecated hosts, yay...
+    runs-on: ubuntu-18.04
+    needs: [build]
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [
+            "v1.16",
+            "v1.17",
+            "v1.18",
+            "v1.19",
+          ]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: actions/download-artifact@v3
+        with:
+          name: images
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+      - name: Configure Connaisseur
+        run: |
+          yq e '.deployment.imagePullPolicy = "Never"' -i helm/values.yaml
+          yq e '.policy +={"pattern": "docker.io/securesystemsengineering/connaisseur:v*"} | .policy[4].pattern style="double"' -i helm/values.yaml
+          yq e '.policy[4].validator = "allow"' -i helm/values.yaml
+          yq e '.deployment.replicasCount = "1"' -i helm/values.yaml
+      - name: Run pre-config and workload integration tests
+        run: |
+          bash tests/integration/integration-test.sh "pre-and-workload"
+        shell: bash
+      - name: Display k8s logs if integration test failed
+        if: failure()
+        run: |
+          kubectl logs -n connaisseur -lapp.kubernetes.io/name=connaisseur --prefix=true
+        shell: bash
+
   upgrade-test:
     runs-on: ubuntu-latest
     needs: [build]
@@ -323,7 +368,7 @@ jobs:
       - uses: ./.github/actions/k8s-version-config
         name: Setup k8s cluster
         with:
-          k8s-version: v1.22
+          k8s-version: v1.25
       - uses: actions/checkout@v3
         with:
           ref: "master"

.github/workflows/codeql-analysis.yml

@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '40 6 * * 3'
 
+# Reduce default permission of GITHUB_TOKEN to nothing
+# Repository can still be checked out during these jobs
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/dockerhub-check.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '37 6 * * 3'
 
+# No permissions needed
+permissions: {}
+
 jobs:
   dockerhub-check:
     runs-on: ubuntu-latest

.github/workflows/docs-dev.yaml

@@ -5,6 +5,10 @@ on:
     branches:
       - develop
 
+# Needs write on repo contents as it pushes to gh-pages branch
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest

.github/workflows/docs.yaml

@@ -5,6 +5,10 @@ on:
     tags:
       - 'v*.*.*'
 
+# Needs write on repo contents as it pushes to gh-pages branch
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest

.github/workflows/nightly-scans.yaml

@@ -2,7 +2,11 @@ name: nightly-scans
 
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
+
+# Reduce default permission of GITHUB_TOKEN to nothing
+# Repository can still be checked out during these jobs
+permissions: {}
 
 jobs:
   build:
@@ -49,8 +53,7 @@ jobs:
         run: |
           sudo snap install yq
       - name: Get latest public image
-        run:
-          echo "LATEST-IMAGE=docker.io/$(yq e '.deployment.image' helm/values.yaml)" >> $GITHUB_ENV
+        run: echo "LATEST-IMAGE=docker.io/$(yq e '.deployment.image' helm/values.yaml)" >> $GITHUB_ENV
       - name: Run Trivy
         uses: aquasecurity/trivy-action@master
         with:
@@ -78,8 +81,8 @@ jobs:
       - uses: actions/upload-artifact@v3
         if: failure()
         with:
-           name: trivy-reports
-           path: trivy-reports
+          name: trivy-reports
+          path: trivy-reports
 
   get-root:
     runs-on: ubuntu-latest
@@ -99,7 +102,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        integration-test-arg: ["regular", "cosign", "deployment", "pre-config", "helm-repo"]
+        integration-test-arg:
+          ["regular", "cosign", "deployment", "pre-config", "helm-repo"]
     services:
       alerting-endpoint:
         image: securesystemsengineering/alerting-endpoint
@@ -115,7 +119,7 @@ jobs:
       - uses: ./.github/actions/k3s-cluster
         name: Setup K8s cluster
         with:
-          k3s-channel: v1.22
+          k3s-channel: v1.25
       - name: Set environment variables for alerting listener
         run: |
           CONTAINER=$(docker container ls --no-trunc --format "{{json . }}" | jq ' . | select(.Image|match("alerting-endpoint"))')
@@ -146,8 +150,50 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s-version:
-          ["v1.16", "v1.17", "v1.18", "v1.19", "v1.20", "v1.21", "v1.22", "v1.23", "v1.24", "v1.25"]
+        k8s-version: [
+            "v1.20",
+            "v1.21",
+            "v1.22",
+            "v1.23",
+            "v1.24",
+            "v1.25",
+          ]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+          load-local-image: false
+      - name: Configure Connaisseur
+        run: |
+          yq e '.deployment.replicasCount = "1"' -i helm/values.yaml
+      - name: Run pre-config and workload integration tests
+        run: |
+          bash tests/integration/integration-test.sh "nightly-pre-and-workload"
+        shell: bash
+      - name: Display k8s logs if integration test failed
+        if: failure()
+        run: |
+          kubectl logs -n connaisseur -lapp.kubernetes.io/name=connaisseur --prefix=true
+        shell: bash
+
+
+  k8s-legacy-versions:
+    # k3s with older versions doesn't play with newer kernel, so we're running those on deprecated hosts, yay...
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [
+            "v1.16",
+            "v1.17",
+            "v1.18",
+            "v1.19",
+          ]
     steps:
       - uses: actions/checkout@v3
       - name: Install yq

.github/workflows/release.yaml

@@ -4,6 +4,10 @@ on:
   push:
     tags: "v*"
 
+# Reduce default permission of GITHUB_TOKEN to nothing
+# Repository can still be checked out during these jobs
+permissions: {}
+
 jobs:
   version-match:
     runs-on: ubuntu-latest
@@ -46,7 +50,7 @@ jobs:
       - uses: ./.github/actions/k8s-version-config
         name: Setup k8s cluster
         with:
-          k8s-version: v1.22
+          k8s-version: v1.25
           load-local-image: false
       - name: Set environment variables for alerting listener
         run: |
@@ -76,6 +80,8 @@ jobs:
   publish_chart:
     runs-on: ubuntu-latest
     needs: [version-match, integration-test]
+    permissions:
+      contents: write
     steps:
       - name: Install Helm and Git
         run: |

.trivyignore

@@ -1,3 +1,3 @@
-CVE-2022-23628
-CVE-2022-28946
-CVE-2022-28948
+CVE-2022-32149
+GHSA-69ch-w2m2-3vjp
+CVE-2022-41717

Makefile

@@ -1,6 +1,6 @@
 NAMESPACE = connaisseur
 IMAGE := $(shell yq e '.deployment.image' helm/values.yaml)
-COSIGN_VERSION = 1.12.1
+COSIGN_VERSION = 1.13.1
 
 .PHONY: all docker install uninstall upgrade annihilate
 

connaisseur/__main__.py

@@ -5,13 +5,12 @@
 from logging.config import dictConfig
 
 from cheroot.server import HTTPServer
-from cheroot.wsgi import Server
 from cheroot.ssl.builtin import BuiltinSSLAdapter
+from cheroot.wsgi import Server
 
 from connaisseur.flask_application import APP
 from connaisseur.logging_wrapper import ConnaisseurLoggingWrapper
 
-
 if __name__ == "__main__":
     LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO")