Incorrect/insecure Go version used for operator-certification base image

Description

We recently fixed up the handling of Go versions when invoking the build step ("make dist") for the K8S family products - see . However, this only corrects the build step. There's a separate step to create the Docker images from the artifacts in the "image" file which is created by the build step, as documented here: https://hub.internal.couchbase.com/confluence/display/CR/Grand+Unified+Build+and+Release+Process+for+Operator

This step expects the "image" file to be completely self-contained, which means that no --build-arg arguments are passed to the "docker build" command. So any ARGs will be built with their default values. 

The operator-certification Dockerfiles have an ARG GO_VERSION, and the base image is determined by that ARG. That GO_VERSION is not currently related to the Go version from the manifest which is used to build the binaries, which could lead to strange runtime behaviour. Also, right now GO_VERSION is 1.17.6, which is an EOL version - the corresponding base Docker images may not even be receiving security updates, which could lead to shipping images with known security vulnerabilities.

Environment

None

Release Notes Description

None

Activity

Show:

CB robot April 19, 2023 at 1:02 PM

Build cbdeps::zstd-cpp-1.5.0-3 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also

CB robot April 15, 2023 at 7:12 AM

Build cbdeps::protoc-gen-go-1.2.5-5 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also

CB robot April 14, 2023 at 3:00 PM

Build cbdeps::libuv-1.20.3-23 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also

CB robot April 14, 2023 at 2:57 PM

Build cbdeps::liburing-0.6-3 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also

CB robot April 14, 2023 at 2:50 PM

Build cbdeps::libsodium-1.0.18-5 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Chris Hillery

Reporter

Story Points

Time tracking

2h logged

Components

Sprint

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created August 16, 2022 at 9:54 AM
Updated April 19, 2023 at 1:02 PM
Resolved September 10, 2022 at 9:17 AM
Instabug
Loading...