Merge pull request #216 from cloudogu/feature/fix-cve-2024-41110

pmarkiewka · web-flow · commit 1b1f4b4b0dc1 · 2024-08-15T10:47:09.000+02:00
Get rid of cve-2024-41110
diff --git a/Dockerfile b/Dockerfile
@@ -46,9 +46,8 @@ RUN apk add curl grep
 # https://kubernetes.io/blog/2022/12/12/kubernetes-release-artifact-signing/
 ARG K8S_VERSION=1.29.1
 ARG KUBECTL_CHECKSUM=69ab3a931e826bf7ac14d38ba7ca637d66a6fcb1ca0e3333a2cafdf15482af9f
-# When updating, also update the checksum found at https://github.com/helm/helm/releases
-ARG HELM_VERSION=3.14.4
-ARG HELM_CHECKSUM=a5844ef2c38ef6ddf3b5a8f7d91e7e0e8ebc39a38bb3fc8013d629c1ef29c259
+# When updating, also upgrade helm image in ApplicationConfigurator
+ARG HELM_VERSION=3.15.4
 # bash curl unzip required for Jenkins downloader
 RUN apk add --no-cache \
       gnupg \
@@ -67,8 +66,6 @@ WORKDIR /tmp
 RUN curl --location --fail --retry 20 --retry-connrefused --retry-all-errors --output helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz 
 RUN curl --location --fail --retry 20 --retry-connrefused --retry-all-errors --output helm.tar.gz.asc https://github.com/helm/helm/releases/download/v${HELM_VERSION}/helm-v${HELM_VERSION}-linux-amd64.tar.gz.asc
 RUN tar -xf helm.tar.gz
-# Without the two spaces the check fails!
-RUN echo "${HELM_CHECKSUM}  helm.tar.gz" | sha256sum -c
 RUN set -o pipefail && curl --location --fail --retry 20 --retry-connrefused --retry-all-errors \
   https://raw.githubusercontent.com/helm/helm/main/KEYS | gpg --import --batch --no-default-keyring --keyring /tmp/keyring.gpg 
 RUN gpgv --keyring /tmp/keyring.gpg helm.tar.gz.asc helm.tar.gz
@@ -77,6 +74,7 @@ ENV PATH=$PATH:/dist/usr/local/bin
 
 # Kubectl
 RUN curl --location --fail --retry 20 --retry-connrefused --retry-all-errors --output kubectl https://dl.k8s.io/release/v${K8S_VERSION}/bin/linux/amd64/kubectl
+# Without the two spaces the check fails!
 RUN echo "${KUBECTL_CHECKSUM}  kubectl" | sha256sum -c
 RUN chmod +x /tmp/kubectl
 RUN mv /tmp/kubectl /dist/usr/local/bin/kubectl
diff --git a/jenkins/values.yaml b/jenkins/values.yaml
@@ -1,5 +1,10 @@
 # For updating, delete pvc jenkins-docker-client
-dockerClientVersion: 24.0.6
+# When updating, we should not use too recent version, to not break support for LTS distros like debian
+# https://docs.docker.com/engine/install/debian/#os-requirements -> oldstable
+# For example:
+# $ curl -s https://download.docker.com/linux/debian/dists/bullseye/stable/binary-amd64/Packages  | grep -EA5 'Package\: docker-ce$' | grep Version | sort | uniq | tail -n1
+# Version: 5:27.1.1-1~debian.11~bullseye
+dockerClientVersion: 27.1.2
 
 controller:
   image:
diff --git a/src/main/groovy/com/cloudogu/gitops/config/ApplicationConfigurator.groovy b/src/main/groovy/com/cloudogu/gitops/config/ApplicationConfigurator.groovy
@@ -15,7 +15,8 @@ import static com.cloudogu.gitops.utils.MapUtils.*
 @Singleton
 class ApplicationConfigurator {
 
-    public static final String HELM_IMAGE = "ghcr.io/cloudogu/helm:3.10.3-1"
+    // When updating please also update in Dockerfile
+    public static final String HELM_IMAGE = "ghcr.io/cloudogu/helm:3.15.4-1"
     // When updating please also adapt in Dockerfile, vars.tf and init-cluster.sh
     public static final String K8S_VERSION = "1.29"
     public static final String DEFAULT_ADMIN_USER = 'admin'
