Skip to content

1.7.1-gcm.1

Latest
Latest
Compare
Choose a tag to compare
@j-fuentes j-fuentes released this 08 Sep 09:19
· 2 commits to main since this release
1.7.1-gcm.1
1c1507d
This commit was signed with the committer’s verified signature. The key has expired.
j-fuentes Jose Fuentes Castillo
GPG key ID: 9CF57CCCCF0D77A0
Expired
Verified
Learn about vigilant mode.

This release fixes a vulnerability in the deployer image inherit from ubbagent:

CVE-2019-14697 -> https://gcr.io/cloud-marketplace/jetstack-public/jetstack-secure-for-cert-manager/ubbagent@sha256:1a39f200634390a4252481c2f7a1a4188df3de5f5af1c3c30b91cd1c066a07e7

We confirmed that we were using this vulnerable version of ubbagent (sha256 starts with 1a39f200634) in the following deployer images:

  • 1.4.3-gcm.0
  • 1.4.4-gcm.0 ← 1.4
  • 1.5.3-gcm.0
  • 1.5.4-gcm.0
  • 1.5.4-gcm.1 ← 1.5
  • 1.6.0-gcm.0
  • 1.6.1-gcm.0 ← 1.6
  • 1.7.1-gcm.0 ← 1.7
$ gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent  --filter 'tags ~ 1\.'
DIGEST        TAGS                                                                                             TIMESTAMP
1a39f2006343  1.4.3-gcm.0,1.4.4-gcm.0,1.5.3-gcm.0,1.5.4-gcm.0,1.5.4-gcm.1,1.6.0-gcm.0,1.6.1-gcm.0,1.7.1-gcm.0  2021-08-05T03:07:54

To install this version, please follow the instructions on the README.md (1.7).

Changelog since 1.7.1-gcm.0

  • Fixed CVE-2019-14697 that was affecting the ubbagent.
  • Upgraded jetstack-secure-agent from v0.1.32 to v0.1.38.

Upgrade instructions

Notes

Information about this release:
README.md https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.7/README.md
deployer image gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.7.1-gcm.1
deployer digest dc3af35a40b5
git tag 1.7.0-gcm.1
git commit 1c1507d
retag logs https://console.cloud.google.com/cloud-build/builds/7e237665-cab1-4f1a-b295-7393bdcf6339?project=885059085598
deployer logs https://console.cloud.google.com/cloud-build/builds/aa4b2fb1-de32-4a7f-b49f-f76e51607cb0?project=885059085598

📦 Recording of the manual steps of the release process

Expand

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Step-by-step process followed:

  • Set the following variables in your shell session. The PREV_APP_VERSION corresponds to the content of the publishedVersion field that is currently set in schema.yaml. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

    PREV_APP_VERSION="1.7.1-gcm.0"
APP_VERSION="1.7.1-gcm.1"
BRANCH=release-1.7
CERT_MANAGER_TAG="v1.7.1"
JETSTACK_AGENT_TAG="v0.1.38"
GOOGLE_CAS_ISSUER_TAG="v0.5.3"
GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.3" # same as above, but without the 'v'

  • Make sure that you are on the branch $BRANCH.

  • Update the above table with the README.md link.

  • ⚠️ Update the cert-manager chart:

    # From the jetstack-secure-gcm repo.
cd chart/jetstack-secure-gcm/charts/
rm -rf cert-manager
helm pull jetstack/cert-manager --version "${APP_VERSION/-gcm*/}" --untar

    Then, run the following:

    find cert-manager -type f -print0 | xargs -0 perl -pi -e 's/app\.kubernetes\.io\/name:(.*\")[a-z-._]+\.name(\".*)/app.kubernetes.io\/name:$1cert-manager.name$2/g'
find cert-manager -type f -print0 | xargs -0 perl -nli -e 'print if !/^ *app:/'

    Explanation:

    1. The first command makes sure all the app.kubernetes.io/name are set to
      cert-manager. This is a "bug" in the cert-manager chart that we need to
      fix in the GCM chart to avoid seeing missing resources in GKE's
      Application UI.
    2. The second command removes all app: ... labels since these aren't used
      in GCM.

    Finally, add patches that make sense:

    git add -p

  • Apply the ubbagent patch.

    This adds a sidecar container called ubbagent (Universal Billing Agent) to the main cert-manager deployment.

    patch -p1 < <(curl -sSL https://github.com/jetstack/jetstack-secure-gcm/commit/e1ecea1cb623358d3181157fcf9bff04fd41988f.diff)

  • Add any Role and ClusterRole that were added in the previous step into the
    file schema.yaml.

  • Make sure to be logged in with gcloud and to have the "Editor" role on
    the jetstack-public repo:

    gcloud config set project jetstack-public

  • Create the smoke-test cluster:

    gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

  • Retag the images using Cloud Build:

    gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
    _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

  • Copy the link to the Cloud Build logs into the table above (row "retag logs").

  • Run the following command that will update the app version in schema.yaml, Chart.yaml and README.md:

    # You must be in the jetstack/jetstack-secure-gcm repo folder.
PREV_DOT_ESCAPED="${PREV_APP_VERSION//./\\.}"
find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED}/${APP_VERSION}/g" '{}' \;
find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED//-gcm*/}/${APP_VERSION//-gcm*/}/g" '{}' \;

    Check that the diff looks OK and that all the versions in schema.yaml, Chart.yaml and README.md are correct:

    git diff

    Finally, commit it:

    git add .
git commit -m "bump version to $APP_VERSION" --edit
git rev-parse HEAD

  • Copy and paste that commit hash into the above table. You will create the tag later on.

  • Build the deployer image:

    gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
  --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

  • Copy the link to the Cloud Build logs into the table above (row "deployer logs").

  • Tag the commit you created above:

    git tag $APP_VERSION
git push --tags

  • Update the git tag in the table above with $APP_VERSION

  • Delete the smoke-test cluster.

    gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

  • Add the deployer image digest to the table above by running:

    gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

  • Go to the GitHub Tags,
    click on the tag you just pushed, and click "Create release from tag", and then:

    1. Set the "Release title" to the name of the tag,
    2. Add this current Markdown <details> block _+ the release notes to the release description,
    3. Click "Save Draft"
    4. Don't forget to update the <details> block with any change or addition to the release process.

  • Go to the "Container images" tab in the product admin UI, click "View" in Proposed releases and make sure the release points to the image tag of the deployer that was just published. If not, change it to point to that one, click "Save and validate", wait for the validation tests to succeed and then click "Submit".

  • Finally, when the solution is reviewed, open the GitHub release and click
    "Publish".

Assets 2
Loading