Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump otelhttp to fix CVE-2023-45142 #1858

Merged
merged 2 commits into from
Dec 13, 2023
Merged

Bump otelhttp to fix CVE-2023-45142 #1858

merged 2 commits into from
Dec 13, 2023

Conversation

jsafrane
Copy link
Contributor

@jsafrane jsafrane commented Dec 11, 2023
edited
Loading

Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to fix CVE-2023-47108.

See GHSA-8pgv-569h-w5rw for details.

I had to rework how OpenTelemetry is used by the CSI driver gRPC connection. I was not able to test it though.

@jsafrane
Bump otelhttp to fix CVE-2023-45142
8129f7e 
Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
to fix CVE-2023-47108.

See GHSA-8pgv-569h-w5rw
for details.
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Dec 11, 2023
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Dec 11, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 11, 2023
edited
Loading

Code Coverage Diff

File Old Coverage New Coverage Delta
github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver/driver.go 31.9% 32.4% 0.5

torredil
torredil reviewed Dec 11, 2023
View reviewed changes
Copy link
Member

@torredil torredil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jsafrane thank you for this

make verify needs fixing, otherwise lgtm:

pkg/driver/driver.go:158:56: SA1019: otelgrpc.UnaryServerInterceptor is deprecated: Use [NewServerHandler] instead. (staticcheck)
		grpcInterceptor = grpc.ChainUnaryInterceptor(logErr, otelgrpc.UnaryServerInterceptor())

@jsafrane
Replace deprecated otelgrpc.UnaryServerInterceptor
8af47cf 
Replace it with otelgrpc.NewServerHandler.
@jsafrane
Copy link
Contributor Author

@torredil I just pushed a second commit reworking how OpenTelemetry is injected into gRPC, however, I have no means to test it.

@jsafrane
Copy link
Contributor Author

/test pull-aws-ebs-csi-driver-test-helm-chart
I did not touch these parts

@jsafrane
Copy link
Contributor Author

jsafrane commented Dec 12, 2023
edited
Loading

/retest

Did I break anything?

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://oidc.eks.us-east-2.amazonaws.com/id

@torredil
Copy link
Member

@jsafrane This is related to #1856 (comment)
@dims looks like OIDC provider used by helm job got cleaned up

@torredil torredil mentioned this pull request Dec 12, 2023
Merged
@dims
Copy link
Member

dims commented Dec 12, 2023

@dims looks like OIDC provider used by helm job got cleaned up

@torredil can you create it again? (and let me know the ID/arn or something?)

@torredil
Copy link
Member

@dims The failure here is coming from IRSA on the CI cluster failing to get the role for the CI job. All jobs referencing serviceAccountName: aws-shared-testing-role are affected: https://github.com/kubernetes/test-infra/blob/2d18966d141e46d2508c9f414bfcba015a95f8e4/config/jobs/kubernetes-sigs/aws-ebs-csi-driver/aws-ebs-csi-driver-presubmits.yaml#L46

Same issue observed for the cloud-provider-aws-e2e periodic: https://testgrid.k8s.io/provider-aws-periodics#ci-cloud-provider-aws-e2e:

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://oidc.eks.us-east-2.amazonaws.com/id/F8B73554FE6FBAF9B19569183FB39762
make: *** [Makefile:245: test-helm-chart] Error 255

@torredil
Copy link
Member

Relevant OIDC uri is defined here: https://github.com/kubernetes/k8s.io/blob/fbd00807fdc12dcd2ec0d222cc6c4056974ac7a4/infra/gcp/terraform/k8s-infra-prow-build/iam.tf#L37

@torredil
Copy link
Member

/retest

1 similar comment
@torredil
Copy link
Member

/retest

@ConnorJC3
Copy link
Contributor

/lgtm
/approve

approving so this merges as soon as CI fixes

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 13, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ConnorJC3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 13, 2023
@torredil
Copy link
Member

/retest

1 similar comment
@AndrewSirenko
Copy link
Contributor

/retest

@k8s-ci-robot k8s-ci-robot merged commit d753d69 into kubernetes-sigs:master Dec 13, 2023
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@torredil torredil torredil left review comments

@AndrewSirenko AndrewSirenko AndrewSirenko approved these changes

Assignees

@ConnorJC3 ConnorJC3

@AndrewSirenko AndrewSirenko

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jsafrane @torredil @dims @ConnorJC3 @k8s-ci-robot @AndrewSirenko