fluxcd · Nov 22, 2021 · Nov 22, 2021 · Nov 23, 2021 · Nov 23, 2021 · Nov 23, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,22 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.18.1
+
+**Release date:** 2021-11-23
+
+This prerelease replaces deprecated dependencies, most notably being the OpenPGP
+package where `golang.org/x/crypto/openpgp` was replaced with
+`github.com/ProtonMail/go-crypto/openpgp`.
+
+Improvements:
+* Update `source-controller/api` to v0.19.0
+  [#499](https://github.com/fluxcd/kustomize-controller/pull/499)
+* Replace deprecated dependencies
+  [#498](https://github.com/fluxcd/kustomize-controller/pull/498)
+* Update `opencontainers/{image-spec, runc}`
+  [#497](https://github.com/fluxcd/kustomize-controller/pull/497)
+
 ## 0.18.0
 
 **Release date:** 2021-11-12

diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@
 IMG ?= fluxcd/kustomize-controller:latest
 # Produce CRDs that work back to Kubernetes 1.16
 CRD_OPTIONS ?= crd:crdVersions=v1
-SOURCE_VER ?= v0.18.0
+SOURCE_VER ?= v0.19.0
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kustomize-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.19.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.19.0/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v0.18.0
+    newTag: v0.18.1
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -52,7 +52,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/events"
@@ -252,7 +252,7 @@ func (r *KustomizationReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 	// broadcast the reconciliation failure and requeue at the specified retry interval
 	if reconcileErr != nil {
 		log.Error(reconcileErr, fmt.Sprintf("Reconciliation failed after %s, next try in %s",
-			time.Now().Sub(reconcileStart).String(),
+			time.Since(reconcileStart).String(),
 			kustomization.GetRetryInterval().String()),
 			"revision",
 			source.GetArtifact().Revision)
@@ -263,12 +263,9 @@ func (r *KustomizationReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 
 	// broadcast the reconciliation result and requeue at the specified interval
 	msg := fmt.Sprintf("Reconciliation finished in %s, next run in %s",
-		time.Now().Sub(reconcileStart).String(),
+		time.Since(reconcileStart).String(),
 		kustomization.Spec.Interval.Duration.String())
-	log.Info(fmt.Sprintf(msg),
-		"revision",
-		source.GetArtifact().Revision,
-	)
+	log.Info(msg, "revision", source.GetArtifact().Revision)
 	r.event(ctx, reconciledKustomization, source.GetArtifact().Revision, events.EventSeverityInfo,
 		msg, map[string]string{"commit_status": "update"})
 	return ctrl.Result{RequeueAfter: kustomization.Spec.Interval.Duration}, nil
@@ -606,10 +603,6 @@ func (r *KustomizationReconciler) generate(kustomization kustomizev1.Kustomizati
 }
 
 func (r *KustomizationReconciler) build(ctx context.Context, kustomization kustomizev1.Kustomization, dirPath string) ([]byte, error) {
-	timeout := kustomization.GetTimeout()
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
 	dec, cleanup, err := NewTempDecryptor(r.Client, kustomization)
 	if err != nil {
 		return nil, err
@@ -809,13 +802,13 @@ func (r *KustomizationReconciler) checkHealth(ctx context.Context, manager *ssa.
 		Interval: 5 * time.Second,
 		Timeout:  kustomization.GetTimeout(),
 	}); err != nil {
-		return fmt.Errorf("Health check failed after %s, %w", time.Now().Sub(checkStart).String(), err)
+		return fmt.Errorf("Health check failed after %s, %w", time.Since(checkStart).String(), err)
 	}
 
 	// emit event if the previous health check failed
 	if !wasHealthy || (kustomization.Status.LastAppliedRevision != revision && drifted) {
 		r.event(ctx, kustomization, revision, events.EventSeverityInfo,
-			fmt.Sprintf("Health check passed in %s", time.Now().Sub(checkStart).String()), nil)
+			fmt.Sprintf("Health check passed in %s", time.Since(checkStart).String()), nil)
 	}
 
 	return nil
@@ -858,7 +851,7 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
 		!kustomization.Spec.Suspend &&
 		kustomization.Status.Inventory != nil &&
 		kustomization.Status.Inventory.Entries != nil {
-		objects, err := ListObjectsInInventory(kustomization.Status.Inventory)
+		objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
 		impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, "")
 		kubeClient, _, err := impersonation.GetClient(ctx)

diff --git a/controllers/kustomization_force_test.go b/controllers/kustomization_force_test.go
@@ -63,6 +63,7 @@ stringData:
 	}
 
 	artifact, err := testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create artifact from files")
 
 	repositoryName := types.NamespacedName{
 		Name:      fmt.Sprintf("force-%s", randStringRunes(5)),

diff --git a/controllers/kustomization_generator.go b/controllers/kustomization_generator.go
@@ -24,12 +24,12 @@ import (
 	"strings"
 	"sync"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/krusty"
 	"sigs.k8s.io/kustomize/api/provider"
 	"sigs.k8s.io/kustomize/api/resmap"
 	kustypes "sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/yaml"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"

diff --git a/controllers/kustomization_impersonation.go b/controllers/kustomization_impersonation.go
@@ -173,7 +173,7 @@ func (ki *KustomizeImpersonation) getKubeConfig(ctx context.Context) ([]byte, er
 	}
 
 	var kubeConfig []byte
-	for k, _ := range secret.Data {
+	for k := range secret.Data {
 		if k == "value" || k == "value.yaml" {
 			kubeConfig = secret.Data[k]
 			break

diff --git a/controllers/kustomization_indexers.go b/controllers/kustomization_indexers.go
@@ -61,7 +61,7 @@ func (r *KustomizationReconciler) requestsForRevisionChangeOf(indexKey string) f
 		if err != nil {
 			return nil
 		}
-		reqs := make([]reconcile.Request, len(sorted), len(sorted))
+		reqs := make([]reconcile.Request, len(sorted))
 		for i := range sorted {
 			reqs[i].NamespacedName.Name = sorted[i].Name
 			reqs[i].NamespacedName.Namespace = sorted[i].Namespace

diff --git a/controllers/kustomization_prune_test.go b/controllers/kustomization_prune_test.go
@@ -272,10 +272,10 @@ data:
 		empty := []testserver.File{
 			{
 				Name: "kustomization.yaml",
-				Body: fmt.Sprintf(`---
+				Body: `---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-`),
+`,
 			},
 		}
 		artifact, err := testServer.ArtifactFromFiles(empty)
@@ -400,10 +400,10 @@ data:
 		g.Expect(k8sClient.Get(context.Background(), types.NamespacedName{Name: id, Namespace: id}, resultSecret)).Should(Succeed())
 		g.Expect(k8sClient.Get(context.Background(), types.NamespacedName{Name: id, Namespace: id}, resultConfig)).Should(Succeed())
 
-		name, _ := resultConfig.GetLabels()["kustomize.toolkit.fluxcd.io/name"]
+		name := resultConfig.GetLabels()["kustomize.toolkit.fluxcd.io/name"]
 		g.Expect(name).Should(BeIdenticalTo(kustomizationKey.Name))
 
-		namespace, _ := resultConfig.GetLabels()["kustomize.toolkit.fluxcd.io/namespace"]
+		namespace := resultConfig.GetLabels()["kustomize.toolkit.fluxcd.io/namespace"]
 		g.Expect(namespace).Should(BeIdenticalTo(kustomizationKey.Namespace))
 	})
 

diff --git a/controllers/kustomization_transformer_test.go b/controllers/kustomization_transformer_test.go
@@ -18,7 +18,6 @@ package controllers
 
 import (
 	"context"
-	"fmt"
 	"strings"
 	"testing"
 	"time"
@@ -55,7 +54,7 @@ func TestKustomizationReconciler_KustomizeTransformer(t *testing.T) {
 	g.Expect(err).ToNot(HaveOccurred())
 
 	repositoryName := types.NamespacedName{
-		Name:      fmt.Sprintf("%s", randStringRunes(5)),
+		Name:      randStringRunes(5),
 		Namespace: id,
 	}
 
@@ -178,7 +177,7 @@ func TestKustomizationReconciler_KustomizeTransformerFiles(t *testing.T) {
 	g.Expect(err).ToNot(HaveOccurred())
 
 	repositoryName := types.NamespacedName{
-		Name:      fmt.Sprintf("%s", randStringRunes(5)),
+		Name:      randStringRunes(5),
 		Namespace: id,
 	}
 
@@ -297,7 +296,7 @@ func TestKustomizationReconciler_FluxTransformers(t *testing.T) {
 	g.Expect(err).ToNot(HaveOccurred())
 
 	repositoryName := types.NamespacedName{
-		Name:      fmt.Sprintf("%s", randStringRunes(5)),
+		Name:      randStringRunes(5),
 		Namespace: id,
 	}
 

diff --git a/controllers/kustomization_varsub_test.go b/controllers/kustomization_varsub_test.go
@@ -67,15 +67,15 @@ metadata:
 	g.Expect(err).NotTo(HaveOccurred())
 
 	repositoryName := types.NamespacedName{
-		Name:      fmt.Sprintf("%s", randStringRunes(5)),
+		Name:      randStringRunes(5),
 		Namespace: id,
 	}
 
 	err = applyGitRepository(repositoryName, artifact, revision)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	configName := types.NamespacedName{
-		Name:      fmt.Sprintf("%s", randStringRunes(5)),
+		Name:      randStringRunes(5),
 		Namespace: id,
 	}
 	config := &corev1.ConfigMap{
@@ -88,7 +88,7 @@ metadata:
 	g.Expect(k8sClient.Create(context.Background(), config)).Should(Succeed())
 
 	secretName := types.NamespacedName{
-		Name:      fmt.Sprintf("%s", randStringRunes(5)),
+		Name:      randStringRunes(5),
 		Namespace: id,
 	}
 	secret := &corev1.Secret{

diff --git a/go.mod b/go.mod
@@ -6,22 +6,22 @@ replace github.com/fluxcd/kustomize-controller/api => ./api
 
 require (
 	filippo.io/age v1.0.0
+	github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/drone/envsubst v1.0.3-0.20200804185402-58bc65f69603
-	github.com/fluxcd/kustomize-controller/api v0.18.0
+	github.com/fluxcd/kustomize-controller/api v0.18.1
 	github.com/fluxcd/pkg/apis/kustomize v0.2.0
 	github.com/fluxcd/pkg/apis/meta v0.10.1
 	github.com/fluxcd/pkg/runtime v0.12.2
 	github.com/fluxcd/pkg/ssa v0.3.1
 	github.com/fluxcd/pkg/testserver v0.1.0
 	github.com/fluxcd/pkg/untar v0.1.0
-	github.com/fluxcd/source-controller/api v0.18.0
+	github.com/fluxcd/source-controller/api v0.19.0
 	github.com/go-logr/logr v0.4.0
 	github.com/hashicorp/go-retryablehttp v0.7.0
 	github.com/onsi/gomega v1.15.0
 	github.com/spf13/pflag v1.0.5
 	go.mozilla.org/sops/v3 v3.7.1
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
 	golang.org/x/net v0.0.0-20210520170846-37e1c6afe023
 	google.golang.org/grpc v1.42.0
 	k8s.io/api v0.22.2
@@ -31,6 +31,7 @@ require (
 	sigs.k8s.io/cli-utils v0.26.0
 	sigs.k8s.io/controller-runtime v0.10.2
 	sigs.k8s.io/kustomize/api v0.10.1
+	sigs.k8s.io/kustomize/kyaml v0.13.0
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -41,4 +42,7 @@ replace (
 )
 
 // fix CVE-2021-30465
-replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.0-rc95
+replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.2
+
+// fix CVE-2021-41190
+replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2