Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: fluxcd/helm-controller
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.17.1
Choose a base ref
...
head repository: fluxcd/helm-controller
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.17.2
Choose a head ref
  • 8 commits
  • 6 files changed
  • 3 contributors

Commits on Mar 15, 2022

  1. Update Helm to v3.8.1 

    While moving away from the fork with a manual patch applied for memory
leak issues.

Signed-off-by: Hidde Beydals <hello@hidde.co>
    @hiddeco
    hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    a23b6ce View commit details

  2. add fsgroup for securityContext 

    Signed-off-by: Kingdon Barrett <kingdon@weave.works>
    @hiddeco
    Kingdon Barrett authored and hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    d39d60d View commit details

  3. Update containerd to v1.5.10 

    This mitigates CVE-2022-23648.

Signed-off-by: Hidde Beydals <hello@hidde.co>
    @hiddeco
    hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    b40454e View commit details

  4. Remove opencontainers/image-spec overwrite 

    Helm now depends on Oras v1.0.x, which contains the right version.

Signed-off-by: Hidde Beydals <hello@hidde.co>
    @hiddeco
    hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    fdffc4a View commit details

  5. Remove docker/cli overwrite 

    Helm now depends on Oras v1.0.x, which contains a newer version.

Signed-off-by: Hidde Beydals <hello@hidde.co>
    @hiddeco
    hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    d14cf6a View commit details

  6. Overwrite fuzz dependencies to use current 

    Signed-off-by: Hidde Beydals <hello@hidde.co>
    @hiddeco
    hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    8c0d563 View commit details

  7. Release v0.17.2 

    Signed-off-by: Hidde Beydals <hello@hidde.co>
    @hiddeco
    hiddeco committed Mar 15, 2022

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    1ad2dc7 View commit details

  8. Merge pull request #437 from fluxcd/release-v0.17.2

    @hiddeco
    hiddeco authored Mar 15, 2022

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    5fe66f4 View commit details
Showing with 98 additions and 73 deletions.
  1. +23 −0 CHANGELOG.md
  2. +4 −0 config/manager/deployment.yaml
  3. +1 −1 config/manager/kustomization.yaml
  4. +28 −46 go.mod
  5. +36 −26 go.sum
  6. +6 −0 tests/fuzz/go.mod
23 changes: 23 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,28 @@
# Changelog

## 0.17.2

**Release date:** 2022-03-15

This prerelease comes with an update for `github.com/containerd/containerd` to
`v1.5.10` to please static security analysers and fix any warnings for
CVE-2022-23648.

In addition, it updates Helm from a forked and patched `v3.8.0`, to the
official `v3.8.1` release, and updates minor dependencies.

The Deployment manifest contains a patch to set the
`.spec.securityContext.fsGroup`, which may be required for some EKS setups
as reported in https://github.com/fluxcd/flux2/issues/2537.

Improvements:
- Update Helm to v3.8.1
[#434](https://github.com/fluxcd/helm-controller/pull/434)
- add fsgroup for securityContext
[#435](https://github.com/fluxcd/helm-controller/pull/435)
- Update containerd to v1.5.10 and tidy go.mod
[#436](https://github.com/fluxcd/helm-controller/pull/436)

## 0.17.1

**Release date:** 2022-02-22
4 changes: 4 additions & 0 deletions config/manager/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -18,6 +18,10 @@ spec:
prometheus.io/port: "8080"
spec:
terminationGracePeriodSeconds: 600
securityContext:
# Required for AWS IAM Role bindings
# https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
fsGroup: 1337
containers:
- name: manager
image: fluxcd/helm-controller
2 changes: 1 addition & 1 deletion config/manager/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -5,4 +5,4 @@ resources:
images:
- name: fluxcd/helm-controller
newName: fluxcd/helm-controller
newTag: v0.17.1
newTag: v0.17.2
74 changes: 28 additions & 46 deletions go.mod
View file
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ go 1.17
replace github.com/fluxcd/helm-controller/api => ./api

require (
github.com/fluxcd/helm-controller/api v0.17.1
github.com/fluxcd/helm-controller/api v0.17.2
github.com/fluxcd/pkg/apis/acl v0.0.3
github.com/fluxcd/pkg/apis/kustomize v0.3.1
github.com/fluxcd/pkg/apis/meta v0.10.2
@@ -16,26 +16,32 @@ require (
github.com/onsi/ginkgo v1.16.5
github.com/onsi/gomega v1.17.0
github.com/spf13/pflag v1.0.5
github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect
github.com/yvasiyarov/gorelic v0.0.7 // indirect
github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect
golang.org/x/text v0.3.7 // indirect
helm.sh/helm/v3 v3.8.0
k8s.io/api v0.23.1
k8s.io/apiextensions-apiserver v0.23.1
k8s.io/apimachinery v0.23.1
k8s.io/cli-runtime v0.23.1
k8s.io/client-go v0.23.1
helm.sh/helm/v3 v3.8.1
k8s.io/api v0.23.4
k8s.io/apiextensions-apiserver v0.23.4
k8s.io/apimachinery v0.23.4
k8s.io/cli-runtime v0.23.4
k8s.io/client-go v0.23.4
sigs.k8s.io/controller-runtime v0.11.0
sigs.k8s.io/kustomize/api v0.10.1
sigs.k8s.io/yaml v1.3.0
)

// Temporary fork of Helm v3.8.0 with patch applied from
// https://github.com/helm/helm/pull/10486 to solve memory leak and issues as
// described in https://github.com/fluxcd/helm-controller/issues/351.
// TODO: Remove once Helm v3.8.1 is released.
replace helm.sh/helm/v3 v3.8.0 => github.com/hiddeco/helm/v3 v3.0.0-20220128105410-34ef0a7a5811
// Pin kustomize to v4.4.1
replace (
sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1
sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0
)

// Fix CVE-2021-30465
// Fix CVE-2021-43784
// Fix GO-2021-0085
// Fix GO-2021-0087
replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3

// Fix CVE-2021-43816
// Fix CVE-2022-23648
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.10

require (
cloud.google.com/go v0.99.0 // indirect
@@ -141,7 +147,8 @@ require (
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
@@ -153,39 +160,14 @@ require (
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
k8s.io/apiserver v0.23.1 // indirect
k8s.io/component-base v0.23.1 // indirect
k8s.io/apiserver v0.23.4 // indirect
k8s.io/component-base v0.23.4 // indirect
k8s.io/klog/v2 v2.30.0 // indirect
k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
k8s.io/kubectl v0.23.1 // indirect
k8s.io/kubectl v0.23.4 // indirect
k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect
oras.land/oras-go v1.1.0 // indirect
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
)

// pin kustomize to v4.4.1
replace (
sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1
sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0
)

// Fix CVE-2021-41092
// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L14
// pulled in by Helm.
replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible

// Fix CVE-2021-30465
// Fix CVE-2021-43784
// Fix GO-2021-0085
// Fix GO-2021-0087
replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3

// Fix CVE-2021-41190
// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L21,
// pulled in by Helm.
replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2

// Fix CVE-2021-43816
replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.9
Loading