Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Update dependencies #3639

Merged
merged 1 commit into from
Aug 30, 2022
Merged

Update dependencies #3639

merged 1 commit into from
Aug 30, 2022

Conversation

kingdonb
Copy link
Member

Working on upgrades for the next patch release

@kingdonb kingdonb added this to the 1.25.4 milestone Aug 29, 2022
@kingdonb kingdonb force-pushed the upgrade-dependencies branch from 7d22d07 to ea7db40 Compare August 29, 2022 15:17
@kingdonb kingdonb changed the title Update dependencies, go yaml v3 Update dependencies Aug 29, 2022
@kingdonb
Copy link
Member Author

kingdonb commented Aug 29, 2022

I guess this trips over some dependencies upgrading to Go YAML v3 @ v3.0.0 which has a CVE

I tried upgrading ourselves to the latest YAML.v3 but because the tests immediately failed, I moved the Go YAML v3 upgrade to another PR (we will not upgrade to YAML v3, this is a major change):

The dependencies that upgraded Go YAML to v3 had pinned a specific version which has CVEs against it, I upgraded those deps, but also replaced their YAML v3 versions with the latest (known safe) version 3.0.1, and in a local build found that it did not invoke the untrustworthy dependency. 👍

@kingdonb kingdonb mentioned this pull request Aug 29, 2022
@kingdonb
Copy link
Member Author

kingdonb commented Aug 29, 2022

This passes 👍

After this merges I'll cut the next release. (The CHANGELOG is in 86cfd4a now.)

@kingdonb kingdonb requested a review from stefanprodan August 29, 2022 16:36
@kingdonb kingdonb force-pushed the upgrade-dependencies branch from 618dc66 to 0d81968 Compare August 29, 2022 16:37
@kingdonb kingdonb mentioned this pull request Aug 29, 2022
@kingdonb
Copy link
Member Author

I lined up all the release PRs, so when this one gets approved I should be able to knock them all down and release in about an hour 👍

@kingdonb
Copy link
Member Author

WDYT @pjbgf ? kustomize is pinned/frozen in place at 3.8.4 and sops is already at 3.7.3, the latest. I think that's everything, except for Kubernetes. Let me know if you find anything I have missed, I'll add it.

Do you think there are any other version pins we should advance?

K8s 1.25.x is out now, which means K8s 1.21.x series is finally out of support (EOL). We have been pinning this series (1.21.x) and planned on upgrading past the breaking issues from those dependencies again around this milestone, about when there should be no more people still running on K8s 1.16.x, I have lost track of the details about supporting at the edges. I thought we had an issue pinned where we discussed how we plan to handle this, but I'm not seeing it. Will search for it again later.

I think that we might still want to consider publishing that type of upgrade but it should come later, if at all, in a next MINOR v1.26.0. I am not aware of any issues with K8s 1.24 or 1.25 preventing Flux v1 users from advancing on that upgrade path. We can release these upgrades as a patch now, and plan those upgrades for next release. That's what I'd propose.

That being said, I have not yet tested against K8s 1.25.0, I do not have a test matrix of different Kubernetes release versions at my disposal for testing against, as my maintainer duties are not resourced in that way here. I have plenty of ARM64 resources but Flux v1 only runs on AMD64 officially. I will try to make a 1.25.0 cluster and root out any issues with the e2e.


We are not expecting to make major changes in the Flux v1 codebase again. I think there are some deprecation warnings that may impact users in the strange place of being on the very latest Kubernetes release but also pinned to Flux legacy v1, there are probably no users in this position. (It seems much more likely that Flux v1 runs on systems which are never upgraded.)

I have not checked the deprecation schedule for this release out yet, but I think we are due for another breaking change requiring upgrade soon from upstream Kubernetes. Maybe someone else is more on top of this information than I am today.

go.mod Show resolved Hide resolved
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my checks, we can fix an additional CVE as per below.

@pjbgf
Copy link
Member

pjbgf commented Aug 30, 2022

@kingdonb I agree with the approach, let's take the Kubernetes update as a separate thread/release. In the coming days I plan to take a look around Flux 1 and the impact of 1.21.x being EOL and 1.22.x becoming EOL soon.

@kingdonb
Copy link
Member Author

I think #3564 is the issue that I was looking for. If there are any more deprecation warnings to address, let's open an issue.

Reopened:

* no need to upgrade Flux to yaml.v3

The dependencies which use yaml.v3 pinned a specific unreleased version
that was not secure, so we should replace it. (There's no CVE reported
against v2.4.0, the version that Flux itself uses internally.)

Co-authored-by: Paulo Gomes <paulo.gomes@weave.works>
Signed-off-by: Kingdon Barrett <kingdon@weave.works>
@kingdonb kingdonb force-pushed the upgrade-dependencies branch from c1b7492 to b7cc565 Compare August 30, 2022 10:50
@kingdonb kingdonb requested a review from pjbgf August 30, 2022 11:00
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @kingdonb for working on this. 🙇

@pjbgf pjbgf merged commit 558a589 into master Aug 30, 2022
@kingdonb kingdonb deleted the upgrade-dependencies branch August 30, 2022 11:20
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants