backport PSS and PKI delete fix

giantswarm · Apr 17, 2024 · d4111cf · d4111cf
1 parent 401b35e
commit d4111cf
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 11 deletions.
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -1,21 +1,28 @@
 # hashicorp/consul/sdk and /api are not intended for public use and won't receive future releases.
 # Waiting for upstream to move away from it.
-CVE-2022-29153 until=2024-03-14
-CVE-2021-41803 until=2024-03-14
+CVE-2022-29153 until=2024-12-31
+CVE-2021-41803 until=2024-12-31
 
 # Non-CVE findings, added with 1 year of exception time.
 # If these stay open for more than a year, we might have unmaintained dependencies.
-sonatype-2021-1485 until=2024-03-14
-sonatype-2022-6522 until=2024-03-14
+sonatype-2021-1485 until=2024-12-31
+sonatype-2022-6522 until=2024-12-31
 
 # github.com/nats-io/jwt
-CVE-2020-26892 until=2024-03-14
-CVE-2021-3127 until=2024-03-14
+CVE-2020-26892 until=2024-12-31
+CVE-2021-3127 until=2024-12-31
 CVE-2020-8561
 
 #pkg:golang/github.com/gin-gonic/gin(indirect)
 CVE-2023-26125
 CVE-2023-29401
 
 # golang/google.golang.org/[email protected]
-CVE-2023-32731 until=2023-08-30
+CVE-2023-32731 until=2024-12-31
+
+CVE-2023-47090
+CVE-2023-47108
+CVE-2023-48795
+CVE-2023-39325
+CVE-2023-3978
+CVE-2024-24786
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add global.podSecurityStandards.enforced value for PSS migration.
+
+### Changed
+
+- Avoid exiting with a failure at startup time if the PKI cleanup fails.
+
 ## [3.2.1] - 2023-08-03
 
 ### Fixed

diff --git a/helm/cert-operator/templates/psp.yaml b/helm/cert-operator/templates/psp.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -32,3 +33,4 @@ spec:
  hostNetwork: false
  hostIPC: false
  hostPID: false
+{{- end }}
diff --git a/helm/cert-operator/templates/rbac.yaml b/helm/cert-operator/templates/rbac.yaml
@@ -88,6 +88,7 @@ roleRef:
  name: {{ include "resource.default.name" . }}
  apiGroup: rbac.authorization.k8s.io
 ---
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -118,3 +119,4 @@ roleRef:
  kind: ClusterRole
  name: {{ include "resource.psp.name" . }}
  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/helm/cert-operator/values.schema.json b/helm/cert-operator/values.schema.json
@@ -184,6 +184,19 @@
  }
  }
  }
+ },
+ "global": {
+ "type": "object",
+ "properties": {
+ "podSecurityStandards": {
+ "type": "object",
+ "properties": {
+ "enforced": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
  }
  }
 }
diff --git a/helm/cert-operator/values.yaml b/helm/cert-operator/values.yaml
@@ -59,3 +59,7 @@ serviceMonitor:
  interval: "60s"
  # -- (duration) Prometheus scrape timeout.
  scrapeTimeout: "45s"
+
+global:
+ podSecurityStandards:
+ enforced: false
diff --git a/pkg/project/project.go b/pkg/project/project.go
@@ -5,7 +5,7 @@ var (
  gitSHA = "n/a"
  name string = "cert-operator"
  source string = "https:/giantswarm/cert-operator"
- version = "3.2.1"
+ //version = "3.2.1"
 )
 
 func Description() string {
@@ -25,7 +25,7 @@ func Source() string {
 }
 
 func Version() string {
- return version
+ return "3.2.1"
 }
 
 // ManagementClusterAppVersion is always 0.0.0 for management cluster app CRs. These CRs

diff --git a/service/controller/cert.go b/service/controller/cert.go
@@ -168,6 +168,8 @@ func cleanupPKIBackends(logger micrologger.Logger, k8sClient k8sclient.Interface
 
  logger.Log("level", "debug", "message", "cleaning up PKI backends")
 
+ var latestError *error
+
  for k := range mounts {
  id := key.ClusterIDFromMountPath(k)
 
@@ -188,21 +190,29 @@ func cleanupPKIBackends(logger micrologger.Logger, k8sClient k8sclient.Interface
  if errors.IsNotFound(err) {
  // fall through
  } else if err != nil {
- return microerror.Mask(err)
+ latestError = &err
+ logger.Log("level", "error", "message", fmt.Sprintf("error deleting certconfigs for Tenant Cluster %#q", id))
+ continue
  }
  }
 
  {
  err := vaultPKI.DeleteBackend(id)
  if err != nil {
- return microerror.Mask(err)
+ latestError = &err
+ logger.Log("level", "error", "message", fmt.Sprintf("error deleting PKI backend for Tenant Cluster %#q", id))
+ continue
  }
  }
 
  logger.Log("level", "debug", "message", fmt.Sprintf("deleted PKI backend for Tenant Cluster %#q", id))
  }
  }
 
+ if latestError != nil {
+ return microerror.Mask(*latestError)
+ }
+
  logger.Log("level", "debug", "message", "cleaned up PKI backends")
 
  return nil