feat: use Busybox Docker image and Go 1.20.5 for build/release

Base Docker image adaptions because of CVE-2023-2650 mitigation.
aellwein · Jun 14, 2023 · b7e8ad6 · b7e8ad6
1 parent e0b99ba
commit b7e8ad6
Show file tree

Hide file tree

Showing 8 changed files with 108 additions and 25 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,11 @@
-FROM --platform=$BUILDPLATFORM golang:1.20.3-alpine3.17 AS build
-RUN apk add --no-cache git
+FROM --platform=$BUILDPLATFORM golang:1.20.5 AS build
 WORKDIR /workspace
 COPY go.mod go.sum .
 RUN go mod download
 COPY . .
 ARG TARGETOS TARGETARCH
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates
+FROM busybox:1.36.1-glibc
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 ENTRYPOINT ["webhook"]
diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@ OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)
 
 IMAGE_NAME := "elvino76/cert-manager-webhook-netcup"
-IMAGE_TAG := "1.0.15"
+IMAGE_TAG := "1.0.16"
 
 OUT := $(shell pwd)/_out
 

diff --git a/charts/cert-manager-webhook-netcup-1.0.16.tgz b/charts/cert-manager-webhook-netcup-1.0.16.tgz
diff --git a/charts/cert-manager-webhook-netcup-1.0.16.tgz.prov b/charts/cert-manager-webhook-netcup-1.0.16.tgz.prov
@@ -0,0 +1,52 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+annotations:
+  artifacthub.io/changes: |
+    - kind: fixed
+      description: "use Busybox 1.36.1 for base image to mitigate CVE-2023-2650"
+    - kind: added
+      description: "Build with Go 1.20.5"
+  artifacthub.io/containsSecurityUpdates: "true"
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/maintainers: |
+    - name: Alex Ellwein
+      email: [email protected]
+  artifacthub.io/signKey: |
+    fingerprint: "F91914CE96676E209A8240290EEF2777053A7D1A"
+    url: https://keybase.io/aellwein/pgp_keys.asc
+apiVersion: v1
+appVersion: 1.0.16
+description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
+  via Netcup
+home: https://github.com/aellwein/cert-manager-webhook-netcup
+icon: https://raw.githubusercontent.com/cert-manager/cert-manager/master/logo/logo.png
+keywords:
+- - cert-manager
+- - webhook
+- - letsencrypt
+- - netcup
+- - ACME
+- - DNS01
+name: cert-manager-webhook-netcup
+version: 1.0.16
+
+...
+files:
+  ./cert-manager-webhook-netcup-1.0.16.tgz: sha256:631bd4ef439724ca4b9b070011fa2c87c3ae5978018adca0d3825f165ce20d9f
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEE1HATsJzIi3L2TkHNV/husVzFn5YFAmSJti4ACgkQV/husVzF
+n5Z5yhAAj+wjY4xuaCLup6z1wuTrWaqNWcdXJsfG/ZQp91zOyV0NBonS9CdO8E1i
+91TYxMSNa2wWzc3mFC/o7oFYCmtAPaVTFCsqZ/7N6K2wjSkChiGgmPxxyOIpQeOu
+Og2jDjh1DHWYL7qcC1w4X/d6biMQASiDANLAPoM+uzCdBxi7og+sLHPR5JpePepD
+yEzOHUcy9vn0eHe9MX0EITRNHoMO6WJ2nCMsnTSFtB3yIkRAUOF1ZbL7xRftdowe
+xyxbVZVD0JCrSQGFsTqW13F6gMmtDvR2Y1grAlk9SbUzr2vygWqzxAZYkU3PO1d5
+yhiVCPuho+6N5pI+vX6TGu9JYAWs7mm5/Ej36USh+PNf0fTwmf9Sbs4NrrEurJAh
+AvfdP+ncYJlolc984rkCzzeF5TdLjfVnjXABLSQS0bciCn3KwxP+LMhJaS5r9CYF
+6o3CsKFH7Wt6pAhta6/4jvGMnpLLJCp0EkIC4GPq+vc3MIc4ZnHgy7KPZcGobOhc
+eAMaMe8oxnd9yG1Napd3OVHX51ky1Gxc7zbKK25nQUzD2+uxZ8ZH4UHchSspaKD5
+S41/0WYDFqq1yT8YAncNnT78x0Nv2a675yXLtLvkRI1fDpOrnLvEZ14tfs1fvAEV
+zn7+MITKpB9w+UoizrN5HjcEqA7aRs4PHbcgUDB4qdn2ZnAxgnk=
+=59Ki
+-----END PGP SIGNATURE-----
diff --git a/charts/index.yaml b/charts/index.yaml
@@ -1,6 +1,39 @@
 apiVersion: v1
 entries:
   cert-manager-webhook-netcup:
+  - annotations:
+      artifacthub.io/changes: |
+        - kind: fixed
+          description: "use Busybox 1.36.1 for base image to mitigate CVE-2023-2650"
+        - kind: added
+          description: "Build with Go 1.20.5"
+      artifacthub.io/containsSecurityUpdates: "true"
+      artifacthub.io/license: Apache-2.0
+      artifacthub.io/maintainers: |
+        - name: Alex Ellwein
+          email: [email protected]
+      artifacthub.io/signKey: |
+        fingerprint: "F91914CE96676E209A8240290EEF2777053A7D1A"
+        url: https://keybase.io/aellwein/pgp_keys.asc
+    apiVersion: v1
+    appVersion: 1.0.16
+    created: "2023-06-14T14:44:31.610422+02:00"
+    description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
+      via Netcup
+    digest: 631bd4ef439724ca4b9b070011fa2c87c3ae5978018adca0d3825f165ce20d9f
+    home: https://github.com/aellwein/cert-manager-webhook-netcup
+    icon: https://raw.githubusercontent.com/cert-manager/cert-manager/master/logo/logo.png
+    keywords:
+    - cert-manager
+    - webhook
+    - letsencrypt
+    - netcup
+    - ACME
+    - DNS01
+    name: cert-manager-webhook-netcup
+    urls:
+    - cert-manager-webhook-netcup-1.0.16.tgz
+    version: 1.0.16
   - annotations:
       artifacthub.io/changes: |
         - kind: added
@@ -17,7 +50,7 @@ entries:
         url: https://keybase.io/aellwein/pgp_keys.asc
     apiVersion: v1
     appVersion: 1.0.15
-    created: "2023-05-11T20:06:17.515664+02:00"
+    created: "2023-06-14T14:44:31.610197+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: 9004dfab480013735a304222d6cb258e1abf4ce6f2d91d6ab9079b6a143dbc6b
@@ -52,7 +85,7 @@ entries:
         url: https://keybase.io/aellwein/pgp_keys.asc
     apiVersion: v1
     appVersion: 1.0.14
-    created: "2023-05-11T20:06:17.515422+02:00"
+    created: "2023-06-14T14:44:31.609957+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: 5ae3d345efadfd55f8b3c154fd81f2ccd95896bed24ee918c9d71d495021a6b5
@@ -85,7 +118,7 @@ entries:
         url: https://keybase.io/aellwein/pgp_keys.asc
     apiVersion: v1
     appVersion: 1.0.13
-    created: "2023-05-11T20:06:17.515142+02:00"
+    created: "2023-06-14T14:44:31.609717+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: 68f71804f042cf7d2a6a2470cb4dfb8c48c26389f07f66e266ae9a0619a15c21
@@ -145,7 +178,7 @@ entries:
           email: [email protected]
     apiVersion: v1
     appVersion: 1.0.12
-    created: "2023-05-11T20:06:17.514915+02:00"
+    created: "2023-06-14T14:44:31.609475+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: bede761557c38f373c3923f9d9128f77c8fc32d2b1d79f1fda4cb548c031f62d
@@ -172,7 +205,7 @@ entries:
           email: [email protected]
     apiVersion: v1
     appVersion: 1.0.11
-    created: "2023-05-11T20:06:17.514648+02:00"
+    created: "2023-06-14T14:44:31.609214+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: aa66de90af78012c0521d3ec48265746ee97f26640248e4b68328331c4ce6f2d
@@ -200,7 +233,7 @@ entries:
           email: [email protected]
     apiVersion: v1
     appVersion: 1.0.10
-    created: "2023-05-11T20:06:17.5144+02:00"
+    created: "2023-06-14T14:44:31.608962+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: f6ec08186bf14c204eef0971e9c84545b5a8bb3d455d7cdcca488ddc71830695
@@ -229,7 +262,7 @@ entries:
           email: [email protected]
     apiVersion: v1
     appVersion: 1.0.9
-    created: "2023-05-11T20:06:17.517446+02:00"
+    created: "2023-06-14T14:44:31.613685+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: d3b6eab27e21af3ae6fb5473e4b0e5db8d75c95bf5ee9b7f1b2e25e98b488bd3
@@ -248,7 +281,7 @@ entries:
     version: 1.0.9
   - apiVersion: v1
     appVersion: 1.0.8
-    created: "2023-05-11T20:06:17.517135+02:00"
+    created: "2023-06-14T14:44:31.61345+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 4b1c49ef9ab1c57428cff35824dd7cb13f187af74fa7dcd560dd788aa0dce892
     name: cert-manager-webhook-netcup
@@ -257,7 +290,7 @@ entries:
     version: 1.0.8
   - apiVersion: v1
     appVersion: 1.0.7
-    created: "2023-05-11T20:06:17.516919+02:00"
+    created: "2023-06-14T14:44:31.613223+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 0d262079f7326e41020df239298f5106bebaf9d797a9ce61550caa6457237a69
     name: cert-manager-webhook-netcup
@@ -266,7 +299,7 @@ entries:
     version: 1.0.7
   - apiVersion: v1
     appVersion: 1.0.6
-    created: "2023-05-11T20:06:17.516498+02:00"
+    created: "2023-06-14T14:44:31.611014+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: f1eb0f11758d480a6fa187a54cdca8669b1ccdb75f022b53d84253723827b7c7
     name: cert-manager-webhook-netcup
@@ -275,7 +308,7 @@ entries:
     version: 1.0.6
   - apiVersion: v1
     appVersion: 1.0.5
-    created: "2023-05-11T20:06:17.516045+02:00"
+    created: "2023-06-14T14:44:31.61082+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 24df7547c2509b06972440c318a22e7e62c0c00c55a796b2c71b70c2e6a1f9bf
     name: cert-manager-webhook-netcup
@@ -284,11 +317,11 @@ entries:
     version: 1.0.5
   - apiVersion: v1
     appVersion: 1.0.3
-    created: "2023-05-11T20:06:17.515853+02:00"
+    created: "2023-06-14T14:44:31.610623+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 03f7f124bb6d76a606a9ed598466b1f4aa422c4406bde52cfff1202a209cd9fd
     name: cert-manager-webhook-netcup
     urls:
     - cert-manager-webhook-netcup-1.0.3.tgz
     version: 1.0.3
-generated: "2023-05-11T20:06:17.514043+02:00"
+generated: "2023-06-14T14:44:31.60859+02:00"
diff --git a/charts/release.sh b/charts/release.sh
@@ -2,5 +2,5 @@
 
 helm package ../deploy/cert-manager-webhook-netcup && \
 find . -name "*.tgz" | while read f; do \
-helm gpg sign $f ; helm gpg verify $f ; done && \
+if [ ! -e "$f.prov" ]; then helm gpg sign $f ; helm gpg verify $f ; fi; done && \
 helm repo index .
diff --git a/deploy/cert-manager-webhook-netcup/Chart.yaml b/deploy/cert-manager-webhook-netcup/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "1.0.15"
-version: 1.0.15
+appVersion: "1.0.16"
+version: 1.0.16
 description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge via Netcup
 name: cert-manager-webhook-netcup
 home: https://github.com/aellwein/cert-manager-webhook-netcup
@@ -19,10 +19,10 @@ annotations:
       email: [email protected]
   artifacthub.io/containsSecurityUpdates: "true"
   artifacthub.io/changes: |
-    - kind: added
-      description: "use Alpine 3.18 base image"
     - kind: fixed
-      description: "upgrade base image to mitigate openssl CVE-2023-1255"
+      description: "use Busybox 1.36.1 for base image to mitigate CVE-2023-2650"
+    - kind: added
+      description: "Build with Go 1.20.5"
   artifacthub.io/signKey: |
     fingerprint: "F91914CE96676E209A8240290EEF2777053A7D1A"
     url: https://keybase.io/aellwein/pgp_keys.asc
diff --git a/deploy/cert-manager-webhook-netcup/values.yaml b/deploy/cert-manager-webhook-netcup/values.yaml
@@ -15,7 +15,7 @@ certManager:
 
 image:
   repository: elvino76/cert-manager-webhook-netcup
-  tag: 1.0.15
+  tag: 1.0.16
   # sha hash can be used to specify image version, instead of tag
   hash: ""
   pullPolicy: IfNotPresent