Skip to content

[PLT-4154] Fix vulnerabilities: cloud-provisioner 0.17.0-0.8.5#911

Open
iamjanr wants to merge 16 commits into
Stratio:branch-0.17.0-0.8from
iamjanr:PLT-4154-0.8.5
Open

[PLT-4154] Fix vulnerabilities: cloud-provisioner 0.17.0-0.8.5#911
iamjanr wants to merge 16 commits into
Stratio:branch-0.17.0-0.8from
iamjanr:PLT-4154-0.8.5

Conversation

@iamjanr
Copy link
Copy Markdown
Collaborator

@iamjanr iamjanr commented May 21, 2026
edited
Loading

Summary

  • Go toolchain go1.25.8 → go1.25.10 (cloud-provisioner binary)
  • Bump grpc v1.61.0→v1.79.3, docker/docker v25.0.6→v27.1.1, runc v1.1.12→v1.2.8, jwt/v5 v5.0.0→v5.2.2, containers/image/v5 v5.29.2→v5.32.2
  • CAPI v1.10.8→v1.10.10, CAPA v2.9.2→v2.9.3, CAPZ v1.21.1→v1.21.3
  • Calico v3.30.2→v3.31.5 / tigera-operator v1.38.5→v1.40.8 (v3.32.0 bloqueante — CRD removal en chart)
  • cert-manager v1.19.1→v1.20.2
  • FluxCD controllers: helm-controller v1.4.5→v1.5.4, kustomize-controller v1.7.3→v1.8.5, source-controller v1.4.1→v1.8.4 (chart 2.17.2 sin cambio — 2.18.x incompatible k8s 1.32)
  • cluster-operator 0.6.1→0.6.2

Test plan

  • EKS (eks-cl02): instalación completa verificada — calico v3.31.5, cert-manager v1.20.2, CAPI v1.10.10, CAPA v2.9.3, flux2 2.17.2, cluster-autoscaler 9.52.1, cluster-operator 0.6.2
  • Azure unmanaged (azure-plt4154): en curso
  • GCP GKE: pendiente

Jira: PLT-4154

iamjanr added 10 commits May 19, 2026 12:26
@iamjanr
[PLT-4154] Bump third-party image versions to fix Medium CVEs
ff2e733 
- Calico v3.30.2 → v3.32.0 + tigera-operator v1.38.5 → v1.42.0 (UBI 8→9, 644 Medium)
- cert-manager v1.19.1 → v1.20.2 (Go 1.26.2, 85 Medium)
- FluxCD flux-cli v2.7.5 → v2.8.7, helm-ctrl v1.4.5 → v1.5.4,
  kustomize-ctrl v1.7.3 → v1.8.5, source-ctrl v1.7.4 → v1.8.4 (CVE-2026-45022, 74+ Medium)
- flux chart 2.17.2 → 2.18.3, tigera-operator chart v3.30.2 → v3.32.0, cert-manager chart v1.19.1 → v1.20.2
@iamjanr
[PLT-4154] Sync version bumps to Go sources and upgrade script
49ee291 
Update hardcoded chart/image versions to match DEPENDENCIES:
- provider.go, aws.go, azure.go, gcp.go: cert-manager v1.19.1→v1.20.2,
  tigera-operator chart v3.30.2→v3.32.0, flux2 chart 2.17.2→2.18.3
- upgrade-provisioner.py: CALICOCTL 3.30.2→3.32.0, CONTROLLER v1.38.5→v1.42.0,
  cert-manager v1.19.1→v1.20.2, flux2 2.17.2→2.18.3, tigera-operator v3.30.2→v3.32.0
@iamjanr
[PLT-4154] Bump CAPI/CAPA/CAPZ to latest v1.10.x/v2.9.x/v1.21.x
5cf8aa2 
- CAPI v1.10.8 → v1.10.10
- CAPA v2.9.2 → v2.9.3
- CAPZ v1.21.1 → v1.21.3

Reduces Go stdlib CVEs in upstream images.
CAPG stays on Stratio fork (no upstream update).
@iamjanr
[PLT-4154] Add CHANGELOG entry for 0.6.2
6db349c
@iamjanr
[PLT-4154] Sync cluster-operator 0.6.2: image refs, dependencies, upg…
fd5f2c4 
…rade script
@iamjanr
[PLT-4154] Update docs and CHANGELOG for 0.17.0-0.8.5
e8588bd
@iamjanr
[PLT-4154] Fix cloud-provisioner binary vulns: go1.25.10 toolchain + …
823d277 
…dep bumps

- toolchain go1.25.10 in go.mod + .tool-versions (eliminates stdlib Critical/High)
- grpc v1.61.0 → v1.79.3, protobuf v1.31.0 → v1.36.10
- docker/docker v25.0.6 → v27.1.1 (via containers/common v0.60.4)
- containers/image/v5 v5.29.2 → v5.32.2, runc v1.1.12 → v1.2.8
- jwt/v5 v5.0.0 → v5.2.2, x/crypto v0.42.0 → v0.46.0
- azidentity v1.4.0 → v1.8.2, ulikunitz/xz v0.5.11 → v0.5.15
Result: 39 findings → 6 (3H+2M+1L in docker/docker, no upstream fix available)
@iamjanr
[PLT-4154] Update Dockerfiles: CAPI v1.10.10, CAPA v2.9.3, CAPZ v1.21.3
56871d8
@iamjanr
[PLT-4154] Update hardcoded version defaults for CAPI/CAPA/CAPZ and F…
3e04ef4 
…lux/Tigera templates

- pkg/commons/cluster.go: capi v1.10.8→v1.10.10, capa v2.9.2→v2.9.3, capz v1.21.1→v1.21.3
- flux2-helm-values.tmpl: flux-cli v2.7.5→v2.8.7, helm v1.4.5→v1.5.4, kustomize v1.7.3→v1.8.5, source v1.7.4→v1.8.4
- tigera-operator-helm-values.tmpl: tigera v1.38.5→v1.42.0
@iamjanr
[PLT-4154] Downgrade Calico v3.32.0→v3.31.5 and FluxCD 2.18.3→2.17.2 …
a45c6cd 
…for k8s 1.32 compatibility

Calico v3.32.0: chart removed crds/ directory (commit 8b19114) — helm install fails
without pre-applying crd.projectcalico.org.v1 companion chart. v3.31.5 is the last
version with CRDs bundled in the chart. Deferred to 0.9.

FluxCD 2.18.3: flux-cli v2.8.x hardcodes k8s >=1.33.0-0 in check --pre. v2.7.5
(chart 2.17.2) requires >=1.32.0-0. Controller images (helm v1.5.4, kustomize v1.8.5,
source v1.8.4) kept at bumped versions — they do not carry the version check.

Verified: EKS cluster eks-cl02 with k8s v1.32.13 installs successfully with all
components at expected versions.
@iamjanr iamjanr requested a review from tperez-stratio as a code owner May 21, 2026 11:02
iamjanr added 2 commits May 21, 2026 13:18
@iamjanr
Merge remote-tracking branch 'Stratio/branch-0.17.0-0.8' into PLT-415…
40fb5bf 
…4-0.8.5
@iamjanr
[PLT-4154] Update offline-installation image versions for 0.17.0-0.8.5
4e94dd0 
Calico v3.31.5, tigera-operator v1.40.8, cert-manager v1.20.2,
FluxCD controllers v1.5.4/v1.8.5/v1.8.4, CAPI v1.10.10,
CAPA v2.9.3, CAPZ v1.21.3, cluster-operator 0.6.2,
cloud-provisioner 0.17.0-0.8.5, coredns v1.12.1
@alopez-stratio alopez-stratio added this to the 0.8.5 milestone May 21, 2026
tperez-stratio
tperez-stratio requested changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@tperez-stratio tperez-stratio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iamjanr te paso un cambio y unos comentarios. Gracias.

Comment thread stratio-docs/es/modules/operations-manual/pages/offline-installation/common-images.adoc
Comment thread stratio-docs/es/modules/operations-manual/pages/offline-installation/common-images.adoc
Comment thread stratio-docs/es/modules/operations-manual/pages/offline-installation/common-images.adoc
Comment thread stratio-docs/es/modules/operations-manual/pages/upgrade.adoc Outdated
iamjanr added 4 commits May 29, 2026 08:41
@iamjanr
[PLT-4154] Fix review comments: common-images EN sync and upgrade.ado…
efe17d1 
…c formatting

- common-images.adoc (EN): remove spurious :v3.31.5 tag from whisker,
  whisker-backend and goldmane image names — version belongs only in
  the version column, consistent with all other calico entries
- upgrade.adoc (ES): apply suggested formatting *_Charts_* (bold+italic)
@iamjanr
[PLT-4154] Merge branch-0.17.0-0.8: keep PLT-4154 versions
87990dc 
Resolve merge conflicts keeping PLT-4154-0.8.5 versions:
- pkg/commons/cluster.go: CAPI v1.10.10, CAPA v2.9.3, CAPZ v1.21.3
- upgrade.adoc (EN/ES): cert-manager v1.20.2, flux2 2.18.3, tigera-operator v3.32.0
@iamjanr
[PLT-4154] Merge Stratio/branch-0.17.0-0.8: keep PLT-4154 versions
0b5bd07
@iamjanr
[PLT-4154] Fix CHANGELOG version to 0.17.0-0.8.5 upcoming
79cfe59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tperez-stratio tperez-stratio tperez-stratio requested changes

@alopez-stratio alopez-stratio alopez-stratio approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

branch-0.8 ok-to-review

Projects

None yet

Milestone

0.8.5

Development

Successfully merging this pull request may close these issues.

3 participants

@iamjanr @alopez-stratio @tperez-stratio