Merge remote-tracking branch 'origin/main' into k0s-1-29

Author: emosbaugh

.github/actions/e2e/action.yml

@@ -113,6 +113,7 @@ runs:
       export EXPECT_K0S_VERSION_PREVIOUS=${{ inputs.k0s-version-previous }}
       export EXPECT_K0S_VERSION_PREVIOUS_STABLE=${{ inputs.k0s-version-previous-stable }}
       export EXPECT_EMBEDDED_CLUSTER_UPGRADE_TARGET_VERSION=${{ inputs.upgrade-target-ec-version }}
+      export SKIP_LXD_CLEANUP=true
       make e2e-test TEST_NAME=${{ inputs.test-name }}
   - name: Troubleshoot
     if: ${{ !cancelled() }}

.github/workflows/ci.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: Lint
         uses: golangci/golangci-lint-action@v6
         with:
-          args: --build-tags exclude_graphdriver_btrfs
+          args: --build-tags containers_image_openpgp,exclude_graphdriver_btrfs,exclude_graphdriver_devicemapper,exclude_graphdriver_overlay
 
   test:
     name: Unit tests
@@ -73,14 +73,16 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Setup go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache-dependency-path: "**/*.sum"
       - name: Install kind
         run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.24.0/kind-linux-amd64
+          curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.27.0/kind-linux-amd64
           chmod +x ./kind
           sudo mv ./kind /usr/local/bin/kind
       - name: Run tests
@@ -113,6 +115,8 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
     - name: Make manifests
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: make -C operator manifests
     - name: Check CRDs
       run: |

.github/workflows/daily-container-scans.yml

@@ -0,0 +1,78 @@
+# Container Security Scans
+# This workflow orchestrates security scanning of container images using Anchore scanner.
+# It runs nightly and can be triggered manually to scan various container images for vulnerabilities.
+name: Container Security Scans
+
+# Trigger configuration
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Runs nightly at midnight (UTC)
+  workflow_dispatch:      # Allows manual triggering through GitHub UI
+
+# Security hardening: Start with no permissions and grant only what's needed
+permissions: {}  # Remove all permissions by default
+
+# Prevent multiple workflow runs from interfering with each other
+# This ensures only one scan runs at a time and new triggers cancel old runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Get the latest release tag first
+  get-latest-tag:
+    name: Get Latest Release Tag
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read    # Needed to read releases
+    outputs:
+      tag_name: ${{ steps.get_release.outputs.tag_name }}
+    steps:
+      - name: Get latest release
+        id: get_release
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const release = await github.rest.repos.getLatestRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+            core.setOutput('tag_name', release.data.tag_name);
+  
+  # Scan operator image using latest release tag
+  scan-operator:
+    name: Scan Operator Image
+    needs: get-latest-tag  # Wait for tag to be fetched
+    uses: ./.github/workflows/scan-container-image.yml
+    # Grant required permissions to the reusable workflow
+    permissions:
+      contents: read        # Needed to read workflow files
+      security-events: write # Needed to upload SARIF results
+    with:
+      # Use the latest release tag from the previous job
+      image: replicated/embedded-cluster-operator-image:${{ needs.get-latest-tag.outputs.tag_name }}
+      # Report findings of medium severity or higher
+      severity-cutoff: medium
+      # Continue even if vulnerabilities are found
+      fail-build: false
+      # Specify platform to scan
+      platform: linux/amd64
+
+  # Scan local artifact mirror image using latest release tag
+  scan-registry:
+    name: Scan Local Artifact Mirror Image
+    needs: get-latest-tag  # Wait for tag to be fetched
+    uses: ./.github/workflows/scan-container-image.yml
+    # Grant required permissions to the reusable workflow
+    permissions:
+      contents: read        # Needed to read workflow files
+      security-events: write # Needed to upload SARIF results
+    with:
+      # Use the latest release tag from the previous job
+      image: replicated/embedded-cluster-local-artifact-mirror:${{ needs.get-latest-tag.outputs.tag_name }}
+      # Report findings of medium severity or higher
+      severity-cutoff: medium
+      # Continue even if vulnerabilities are found
+      fail-build: false
+      # Specify platform to scan
+      platform: linux/amd64 

.github/workflows/scan-container-image.yml

@@ -0,0 +1,113 @@
+# This is a reusable workflow for scanning container images using Anchore's vulnerability scanner.
+# It can be called from other workflows to scan any container image and report findings to GitHub Security tab.
+name: Scan Container Image
+
+# Define this as a reusable workflow that other workflows can call
+on:
+  workflow_call:
+    # Define the inputs that callers must/can provide
+    inputs:
+      image:
+        required: true
+        type: string
+        description: 'Container image to scan (format: image:tag)'
+      severity-cutoff:
+        required: false
+        type: string
+        default: 'medium'
+        description: 'Minimum severity to report (critical, high, medium, low, negligible)'
+      fail-build:
+        required: false
+        type: boolean
+        default: false
+        description: 'Fail the workflow if vulnerabilities are found'
+      platform:
+        required: false
+        type: string
+        default: 'linux/amd64'
+        description: 'Platform to scan (e.g., linux/amd64, linux/arm64)'
+
+permissions: {}  # Remove all permissions by default
+
+jobs:
+  scan:
+    name: Scan Image
+    runs-on: ubuntu-latest
+    timeout-minutes: 30  # Default timeout for the job
+    # Permissions required for security scanning and reporting
+    permissions:
+      security-events: write  # Needed to upload SARIF results
+      contents: read         # Needed to read workflow files
+    
+    steps:
+      # Extract and normalize image details for use in later steps
+      # Handles cases where tag might be missing (defaults to 'latest')
+      # Creates a safe name for use in filenames and categories
+      - name: Extract image details
+        id: image_details
+        run: |
+          IMAGE_NAME=$(echo "${{ inputs.image }}" | cut -d':' -f1)
+          IMAGE_TAG=$(echo "${{ inputs.image }}" | cut -d':' -f2)
+          [[ "$IMAGE_TAG" == "$IMAGE_NAME" ]] && IMAGE_TAG="latest"
+          SAFE_NAME=$(echo "${IMAGE_NAME}-${IMAGE_TAG}" | sed 's/[\/:]/-/g')
+          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          echo "safe_name=${SAFE_NAME}" >> $GITHUB_OUTPUT
+      
+      # Run Anchore vulnerability scanner on the specified image
+      # Outputs findings in SARIF format for GitHub security dashboard
+      - name: Scan image with Anchore
+        uses: anchore/scan-action@v6
+        id: scan
+        with:
+          image: "${{ inputs.image }}"
+          fail-build: ${{ inputs.fail-build }}
+          severity-cutoff: ${{ inputs.severity-cutoff }}
+          output-format: sarif
+          platform: ${{ inputs.platform }}
+      
+      # Enrich the SARIF output with additional metadata about the scanned image
+      # This helps with tracking and identifying scan results in GitHub Security tab
+      - name: Enrich SARIF with image metadata
+        run: |
+          # Install jq for JSON processing
+          sudo apt-get update && sudo apt-get install -y jq
+          
+          # Add metadata to SARIF using jq
+          # This includes image details, scan time, and repository information
+          jq --arg imageRef "${{ inputs.image }}" \
+             --arg repo "${{ steps.image_details.outputs.image_name }}" \
+             --arg name "${{ steps.image_details.outputs.image_name }}" \
+             --arg tag "${{ steps.image_details.outputs.image_tag }}" \
+             --arg scanTime "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
+             --arg platform "${{ inputs.platform }}" \
+             '.runs[0].properties = {
+                "imageRef": $imageRef,
+                "repository": $repo,
+                "scanTime": $scanTime,
+                "platform": $platform,
+                "imageMetadata": {
+                  "name": $name,
+                  "tag": $tag
+                }
+              }' results.sarif > enriched-results.sarif
+          
+          mv enriched-results.sarif results.sarif
+      
+      # Upload the SARIF results to GitHub Security tab
+      # Note: This uploads to the repository where the workflow runs, not the image source
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          # Create a unique category for each image to separate findings
+          category: "container-scan-${{ steps.image_details.outputs.safe_name }}"
+      
+      # Archive the SARIF results as an artifact for later reference
+      # Useful for debugging or historical analysis
+      - name: Archive scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: "sarif-${{ steps.image_details.outputs.safe_name }}"
+          path: results.sarif
+          retention-days: 365 

Makefile

@@ -275,20 +275,20 @@ envtest:
 .PHONY: unit-tests
 unit-tests: envtest
 	KUBEBUILDER_ASSETS="$(shell ./operator/bin/setup-envtest use $(ENVTEST_K8S_VERSION) --bin-dir $(shell pwd)/operator/bin -p path)" \
-		go test -tags exclude_graphdriver_btrfs -v ./pkg/... ./cmd/...
+		go test -tags $(GO_BUILD_TAGS) -v ./pkg/... ./cmd/...
 	$(MAKE) -C operator test
 
 .PHONY: vet
 vet:
-	go vet -tags exclude_graphdriver_btrfs ./...
+	go vet -tags $(GO_BUILD_TAGS) ./...
 
 .PHONY: e2e-tests
 e2e-tests: embedded-release
-	go test -tags exclude_graphdriver_btrfs -timeout 60m -ldflags="$(LD_FLAGS)" -parallel 1 -failfast -v ./e2e
+	go test -tags $(GO_BUILD_TAGS) -timeout 60m -ldflags="$(LD_FLAGS)" -parallel 1 -failfast -v ./e2e
 
 .PHONY: e2e-test
 e2e-test:
-	go test -tags exclude_graphdriver_btrfs -timeout 60m -ldflags="$(LD_FLAGS)" -v ./e2e -run ^$(TEST_NAME)$$
+	go test -tags $(GO_BUILD_TAGS) -timeout 60m -ldflags="$(LD_FLAGS)" -v ./e2e -run ^$(TEST_NAME)$$
 
 .PHONY: dryrun-tests
 dryrun-tests: export DRYRUN_MATCH = Test
@@ -312,11 +312,11 @@ clean:
 
 .PHONY: lint
 lint:
-	golangci-lint run -c .golangci.yml ./... --build-tags exclude_graphdriver_btrfs
+	golangci-lint run -c .golangci.yml ./... --build-tags $(GO_BUILD_TAGS)
 
 .PHONY: lint-and-fix
 lint-and-fix:
-	golangci-lint run --fix -c .golangci.yml ./... --build-tags exclude_graphdriver_btrfs
+	golangci-lint run --fix -c .golangci.yml ./... --build-tags $(GO_BUILD_TAGS)
 
 .PHONY: scan
 scan:
@@ -329,7 +329,7 @@ scan:
 
 .PHONY: buildtools
 buildtools:
-	go build -tags exclude_graphdriver_btrfs -o ./output/bin/buildtools ./cmd/buildtools
+	go build -tags $(GO_BUILD_TAGS) -o ./output/bin/buildtools ./cmd/buildtools
 
 .PHONY: list-distros
 list-distros:

cmd/buildtools/k0s.go

@@ -76,6 +76,12 @@ var k0sImageComponents = map[string]addonComponent{
 			return fmt.Sprintf("registry.k8s.io/pause:%s", opts.upstreamVersion.Original()), nil
 		},
 	},
+	"quay.io/k0sproject/envoy-distroless": {
+		name: "envoy-distroless",
+		getWolfiPackageName: func(opts addonComponentOptions) string {
+			return fmt.Sprintf("envoy-%d.%d", opts.upstreamVersion.Major(), opts.upstreamVersion.Minor())
+		},
+	},
 }
 
 var updateK0sImagesCommand = &cli.Command{

cmd/buildtools/utils.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -145,10 +146,12 @@ func ResolveApkoPackageVersion(componentName, packageName, packageVersion string
 		fmt.Sprintf("PACKAGE_NAME=%s", packageName),
 		fmt.Sprintf("PACKAGE_VERSION=%s", packageVersion),
 	}
+	var errBuf bytes.Buffer
 	cmd := exec.Command("make", args...)
+	cmd.Stderr = &errBuf
 	out, err := cmd.Output()
 	if err != nil {
-		return "", fmt.Errorf("run command: %w: %s", err, string(out))
+		return "", fmt.Errorf("run command: %w: %s", err, errBuf.String())
 	}
 	return strings.TrimSpace(string(out)), nil
 }