v0.12.0

Changes by Kind

Deprecation

• Remove vulndash
  I'm not a fan of doing this (because it was an intern's work), but
  vulndash is undeployed and unmaintained.

  Given the scope of the work, it creates an attack surface for the
  project in an unmaintained state, so we need to remove it. (#2322, @justaugustus)

Feature

• The stage phase of the Kubernetes release process is now SLSA compliant! 🎉
  • The anago state object now registers the time the release process starts.
  • We now make the GCB BUILD_ID identifier available to krel as an env var to include it in the provenance metadata.
  • New go pkg: provenance. This new package allows projects to generate provenance metadata in in-toto attestations with SLSA compliant predicates. The new package features a scanner to easily add files as subjects in the statement.
  • The provenance package now has tests and mocks
  • The staging phase of anago which krel runs now has a new step: GenerateProvenance(). This step writes a provenance attestation file to make stage SLSA1 compliant. The file describes the building environment and adds the artifacts that will be consumed from release as subjects in the statement.
  • The deletion of the Kubernetes source in the staging workspace is now decoupled from the StageLocalSourceTree() function
  • PushReleaseArtifacts() in the build package now supports uploading single files to the release bucket. Previously only directories could be uploaded with this function.
  • Optimized the artifact publishing logic to only create the Kubernetes source tarball once. Previously we tarred, compressed and uploaded the whole source tree once for each tag in the release. This is not needed as all releases share the same source. (#2273, @puerco)
• Add a new ci-reporter tool to generate weekly CI Signal Reports (#2309, @palnabarun)
• Added K8S_ORG, K8S_REPO and K8S_REF environment variable support to stage custom k/k forks. (#2074, @saschagrunert)
• Artifacts are now verified against the in-toto attestation produced during the staging phase of a release. If validation fails, for now only a warning is reported in the logs. Future builds will abort execution right after validation.
  • New ProvenanceChecker object in the release package to enable release runs to verify provenance metadata.
  • The provenance.Statement object which abstracts in-toto attestations can now read attestations from JSON files and clone predicates from other attestations. (#2283, @puerco)
• Config: Add configs for copying GitHub releases to GCS buckets (#2281, @justaugustus)
• Cosign: update cosign to 1.3.1 (#2315, @cpanato)
• Cross: build variants for each k8s release branch (main branch, 1.22, 1.21) (#2253, @cpanato)
• Debian-iptables image now contains /go-runner binary (#2301, @BenTheElder)
• Debian-iptables: Build bullseye-v1.0.0 images
• images: Build go1.17-bullseye variants
  • go-runner:v2.3.1-go1.17.1-bullseye.0
  • releng-ci (#2210, @justaugustus)
• Debian-iptables:bullseye image now contains /go-runner binary (#2310, @pohly)
• K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.10 (#2311, @cpanato)
• K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.8 (#2252, @cpanato)
• K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.9 (#2290, @cpanato)
• K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.1 (#2246, @cpanato)
• K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.2 (#2289, @cpanato)
• K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.3 (#2306, @cpanato)
• Krel: make promote-images work for other k8s and k8s sigs projects (#2280, @CecileRobertMichon)
• New SPDX parser to read and interpret SPDX SBoMs in tag/value format.
  • New subcommand bom document outline reads an SBOM and prints to the screen a tree-like structure detailing the elements (files/packages) described in the SBoM and the relationships among them. (#2298, @puerco)
• Release notes: Remove author and PR links from Markdown (#2274, @CecileRobertMichon)
• Releases now publish a provenance attestation with a SLSA 0.1 predicate describing all artifacts in the release bucket. (#2300, @puerco)
• Setcap: Build bullseye-v1.0.0 images
• images: Build go1.17-bullseye variants (part two)
  • kube-cross:v1.23.0-go1.17.1-bullseye.0
  • k8s-ci-builder (#2249, @justaugustus)
• Update cosign to v1.2.0 (#2251, @cpanato)
• Update cosign to v1.2.1 (#2259, @cpanato)
• [go] Build go1.17.2 and go1.16.9 images (#2285, @mengjiao-liu)
• [go] Build go1.17.3 and go1.16.10 images (#2305, @cpanato)

Documentation

• Go.mod: Update sigs.k8s.io/promo-tools/v3 to v3.2.1
  ...which fixes import issues following the repo rename. (#2255, @justaugustus)
• Issue-template: update dep-golang template to remove bazel updates (#2291, @cpanato)
• Krel/promote-images: make error when GitHub token is not provided more verbose
  krel/promote-images: update promotion PR body to have the command (#2320, @palnabarun)

Bug or Regression

• Cross: install ip looks like it is not there for bullseye (#2260, @cpanato)
• Fixed table of contents header links containing source code in changelog and release notes generation. (#2277, @saschagrunert)
• New release.ProvenanceReade object handles the generation of provenance subjects during staging. Written in response to a bug found in the intoto subjects included in the attestation, this new object is now more testable. (#2296, @puerco)
• Packages: Update minimum Kubernetes version to v1.19.0 (#2295, @justaugustus)

Other (Cleanup or Flake)

• During anago.release, krel will now download and perform the staged artifact verification in a dedicated directory in the Cloud Build workspace. (#2297, @puerco)
• FIxed the help text for krel cve -f. It now reads "update vulnerability data from a local map file" (#2257, @puerco)
• Go.mod: Update sigs.k8s.io/k8s-container-image-promoter to v3.2.0 (#2247, @justaugustus)

Dependencies

Added

• github.com/codahale/rfc6979: 6a90f24
• github.com/google/go-github/v34: v34.0.0
• github.com/google/go-github/v39: v39.2.0
• github.com/in-toto/in-toto-golang: v0.3.3
• github.com/lufia/plan9stats: 39d0f17
• github.com/shibumi/go-pathspec: v1.2.0
• sigs.k8s.io/promo-tools/v3: v3.2.1

Changed

• github.com/go-ole/go-ole: v1.2.5 → v1.2.6
• github.com/gomarkdown/markdown: 8c8b381 → 3b9f472
• github.com/google/go-querystring: v1.0.0 → v1.1.0
• github.com/mitchellh/mapstructure: v1.4.1 → v1.4.2
• github.com/sendgrid/rest: v2.6.4+incompatible → v2.6.5+incompatible
• github.com/sendgrid/sendgrid-go: v3.10.0+incompatible → v3.10.3+incompatible
• github.com/shirou/gopsutil/v3: v3.21.8 → v3.21.10
• github.com/yuin/goldmark: v1.4.1 → v1.4.4
• golang.org/x/crypto: 5ff15b2 → 32db794
• golang.org/x/mod: v0.5.0 → v0.5.1
• golang.org/x/net: abc4532 → aaa1db6
• golang.org/x/sys: 63515b4 → 97ac67d
• golang.org/x/tools: v0.1.5 → v0.1.7
• sigs.k8s.io/mdtoc: v1.0.1 → v1.1.0
• sigs.k8s.io/release-sdk: v0.2.0 → f50f511
• sigs.k8s.io/yaml: v1.2.0 → v1.3.0

Removed

• sigs.k8s.io/k8s-container-image-promoter: v1.339.0