diff --git a/CVEs/Makefile b/CVEs/Makefile index 29cdaa8e..f274c41c 100644 --- a/CVEs/Makefile +++ b/CVEs/Makefile @@ -52,10 +52,11 @@ kustomize-build-all: KFD_VERSION=$(KFD_VERSION) echo "" > $(KFD_VERSION)/built.yaml for kustomize in `find $(KFD_VERSION)/.furyctl/sighup/vendor/modules \ - \( -name "kustomization.y*ml" \) \ - -not -path "*cluster-autoscaler/*/kustomization.yaml" \ - -and -not -path "*examples*" \ - -or -path "*/cluster-autoscaler/$${KFD_VERSION%.*}*/kustomization.yaml"`; do \ + -not -path "*/cluster-autoscaler/base/*" \ + -not -path "*/tests/*" \ + -not -path "*/examples/*" \ + -name "kustomization.y*ml" \ + \( -path "*/cluster-autoscaler/$$(echo $${KFD_VERSION} | cut -d'.' -f1,2)*/*" -or -not -path "*/cluster-autoscaler/*" \)`; do \ `find $(KFD_VERSION)/.furyctl/bin -name kustomize -type f` build `dirname $$kustomize` >> $(KFD_VERSION)/built.yaml; \ done @@ -73,7 +74,3 @@ trivy-download-db: scan-vulns: TRIVY_CACHE_DIR=$(TRIVY_CACHE_DIR) ./scan_vuln.sh -v "$(KFD_VERSION)" -l "$(LIST_FILE)" -o "$(OUTPUT_FILE)"; - - - - diff --git a/CVEs/patch_images_with_copacetic.sh b/CVEs/patch_images_with_copacetic.sh index 10590ef7..6c63704d 100755 --- a/CVEs/patch_images_with_copacetic.sh +++ b/CVEs/patch_images_with_copacetic.sh @@ -103,16 +103,26 @@ function patch_image() { COPA_REPORT_OUTPUT_FILE=${COPA_PATCH_OUTPUT_DIR}/${image_to_patch//[:\/]/_}-${ARCHITECTURE}.vex.json COPA_PATCHING_LOG_FILE=${COPA_PATCH_OUTPUT_DIR}/${image_to_patch//[:\/]/_}-${ARCHITECTURE}.log info "Looking for CVEs in ${image_to_patch} for linux/${ARCHITECTURE}" - trivy image --platform=linux/${ARCHITECTURE} \ + if ! trivy image --platform=linux/${ARCHITECTURE} \ --skip-db-update --skip-java-db-update \ --cache-dir ${TRIVY_CACHE_DIR:-/tmp/.cache/trivy} \ --scanners vuln -q --vuln-type os --ignore-unfixed \ -f json -o "${TRIVY_SCAN_OUTPUT_FILE}" \ "${image_to_patch_with_digest}" + then + error "trivy failed to scan $image for linux/${ARCHITECTURE}" + PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1)) + continue + fi # info "Clean trivy scan cache" # trivy clean --scan-cache info "Patching CVEs in ${image_to_patch} for linux/${ARCHITECTURE}" - copa patch -r "${TRIVY_SCAN_OUTPUT_FILE}" -i "${image_to_patch_with_digest}" --tag ${patched_tag} --format="openvex" --output "$COPA_REPORT_OUTPUT_FILE" -a tcp://127.0.0.1:8888 2>&1 | tee "${COPA_PATCHING_LOG_FILE}" + copa patch --timeout "15m" \ + -i "${image_to_patch_with_digest}" \ + -r "${TRIVY_SCAN_OUTPUT_FILE}" \ + --tag ${patched_tag} --format="openvex" \ + --output "$COPA_REPORT_OUTPUT_FILE" \ + -a tcp://127.0.0.1:8888 2>&1 | tee "${COPA_PATCHING_LOG_FILE}" copa_exit_code=${PIPESTATUS[0]} if [ "${copa_exit_code}" -eq 0 ] @@ -190,7 +200,8 @@ function patch_image() { if ( [ "${copa_error}" == "no patchable vulnerabilities found" ] || [ "${copa_error}" == "no scanning results for os-pkgs found" ] || - [[ "${copa_error}" =~ "errors occurred:" ]] + [[ "${copa_error}" =~ "errors occurred:" ]] || + [[ "${copa_error}" =~ "unsupported osType" ]] ) then warn "${copa_error} in ${image_to_patch} for linux/${ARCHITECTURE}" @@ -215,15 +226,20 @@ function patch_image() { fi done - if [ ${DRY_RUN:-1} -eq 0 ] && [[ $(echo ${MULTI_ARCH_IMAGES} | wc -w) -eq $(echo ${ARCHITECTURES} | wc -w) ]] + if [[ $(echo ${MULTI_ARCH_IMAGES} | wc -w) -lt $(echo ${ARCHITECTURES} | wc -w) ]] then - info "Create and push manifest ${secured_image}" - if podman_run "podman manifest create ${secured_image} ${MULTI_ARCH_IMAGES} && podman manifest push ${secured_image}" + error "manifest ${secured_image} will not created as it does not include all the architectures" + else + if [ ${DRY_RUN:-1} -eq 0 ] then - success "manifest ${secured_image} pushed" - else - error "failed pushing manifest ${secured_image}" - PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1)) + info "Create and push manifest ${secured_image}" + if podman_run "podman manifest create ${secured_image} ${MULTI_ARCH_IMAGES} && podman manifest push ${secured_image}" + then + success "manifest ${secured_image} pushed" + else + error "failed pushing manifest ${secured_image}" + PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1)) + fi fi fi diff --git a/CVEs/v1.27.0/furyctl.yaml b/CVEs/v1.27.0/furyctl.yaml deleted file mode 100644 index 9a0a2903..00000000 --- a/CVEs/v1.27.0/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.0 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.1/furyctl.yaml b/CVEs/v1.27.1/furyctl.yaml deleted file mode 100644 index 6aff2fbe..00000000 --- a/CVEs/v1.27.1/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.1 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.2/furyctl.yaml b/CVEs/v1.27.2/furyctl.yaml deleted file mode 100644 index 8d760bba..00000000 --- a/CVEs/v1.27.2/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.2 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.3/furyctl.yaml b/CVEs/v1.27.3/furyctl.yaml deleted file mode 100644 index 7438962e..00000000 --- a/CVEs/v1.27.3/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.3 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.4/furyctl.yaml b/CVEs/v1.27.4/furyctl.yaml deleted file mode 100644 index 10c82303..00000000 --- a/CVEs/v1.27.4/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.4 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.5/furyctl.yaml b/CVEs/v1.27.5/furyctl.yaml deleted file mode 100644 index 8387cbd7..00000000 --- a/CVEs/v1.27.5/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.5 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.6/furyctl.yaml b/CVEs/v1.27.6/furyctl.yaml deleted file mode 100644 index 4b976454..00000000 --- a/CVEs/v1.27.6/furyctl.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - - -# This is a sample configuration file to be used as a starting point. For the -# complete reference of the configuration file schema, please refer to the -# official documentation: -# https://docs.kubernetesfury.com/docs/furyctl/providers/kfddistribution - ---- -apiVersion: kfd.sighup.io/v1alpha2 -kind: KFDDistribution -metadata: - # The name of the cluster, will be also used as a prefix for all the other resources created - name: sighup -spec: - # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, - # it supports git tags and branches - distributionVersion: v1.27.6 - # This section describes how the KFD distribution will be installed - distribution: - # This common configuration will be applied to all the packages that will be installed in the cluster - kubeconfig: path/to/kubeconfig - # common: - # # The node selector to use to place the pods for all the KFD packages - # nodeSelector: - # node.kubernetes.io/role: infra - # # The tolerations that will be added to the pods for all the KFD packages - # tolerations: - # - effect: NoSchedule - # key: node.kubernetes.io/role - # value: infra - # This section contains all the configurations for all the KFD core modules - modules: - networking: - # this type defines if we need to install the networking in the cluster, type available: none, cilium, calico - type: none - # This section contains all the configurations for the ingress module - ingress: - # the base domain used for all the KFD ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.private.name zone - baseDomain: internal.example.dev - # configurations for the nginx ingress controller package - nginx: - # type defines if the nginx should be configured as single or dual (internal + external) or none, with none no ingress controller will be deployed and also no ingress resource will be created - type: dual - # the tls section defines how the tls for the ingresses should be managed - tls: - # provider can be certManager, secret - provider: certManager - # if provider is set as secret, this key will be used to create the certificate in the cluster - # secret: - # the certificate file content or you can use the file notation to get the content from a file - # cert: "{file://relative/path/to/ssl.crt}" - # the key file, a file notation can be used to get the content from a file - # key: "{file://relative/path/to/ssl.key}" - # the ca file, a file notation can be used to get the content from a file - # ca: "{file://relative/path/to/ssl.ca}" - # configuration for the cert-manager package - certManager: - # the configuration for the clusterIssuer that will be created - clusterIssuer: - # the name of the clusterIssuer - name: letsencrypt-fury - # the email used during issuing procedures - email: example@sighup.io - # you can configure the clusterIssuer by specifing type (can be only http01) or custom solvers - type: http01 - # the custom solvers configurations - # solvers: - # - http01: - # ingress: - # class: nginx - # This section contains all the configurations for the logging module - logging: - # can be opensearch or loki or none, with none, nothing from the logging module will be installed - type: loki - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the monitoring module - monitoring: - # can be prometheus or mimir or none, with none, nothing from the monitoring module will be installed - type: "prometheus" - # This section contains all the configurations for the tracing module - tracing: - # can be tempo or none, with none, nothing from the tracing module will be installed - type: tempo - # configurations for the minio-ha package - minio: - # the PVC size for each minio disk, 6 disks total - storageSize: "20Gi" - # This section contains all the configurations for the policy (opa) module - policy: - # type can be gatekeeper, kyverno or none - type: gatekeeper - # configurations for the gatekeeper package - gatekeeper: - # This parameter adds namespaces to Gatekeeper's exemption list, so it will not enforce the constraints on them. - additionalExcludedNamespaces: [] - installDefaultPolicies: true - enforcementAction: deny - # This section contains all the configurations for the Disaster Recovery module - dr: - # type can be none or on-premises - type: on-premises - # Configurations for the velero package - velero: {} - # This section contains all the configurations for the auth module - auth: - provider: - # The authentication type used for the infrastructure ingresses (all the ingress for the distribution) can be none, basicAuth, sso - type: none - # The base domain used for all the auth ingresses, if in the nginx dual configuration, it should be the same as the .spec.distribution.modules.ingress.dns.public.name zone - baseDomain: example.dev - # Custom Patches to add or override fields in the generated manifests - #customPatches: {} - # Plugins to be installed - #plugins: {} \ No newline at end of file diff --git a/CVEs/v1.27.7/furyctl.yaml b/CVEs/v1.28.5/furyctl.yaml similarity index 96% rename from CVEs/v1.27.7/furyctl.yaml rename to CVEs/v1.28.5/furyctl.yaml index f2f5e52f..a2ca180a 100644 --- a/CVEs/v1.27.7/furyctl.yaml +++ b/CVEs/v1.28.5/furyctl.yaml @@ -1,4 +1,4 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/sighupio/fury-distribution/v1.27.7/schemas/public/kfddistribution-kfd-v1alpha2.json +# yaml-language-server: $schema=https://raw.githubusercontent.com/sighupio/fury-distribution/v1.30.0-rc.4/schemas/public/kfddistribution-kfd-v1alpha2.json # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. @@ -18,7 +18,7 @@ metadata: spec: # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, # it supports git tags and branches - distributionVersion: v1.27.7 + distributionVersion: v1.28.5 # This section describes how the KFD distribution will be installed distribution: # This common configuration will be applied to all the packages that will be installed in the cluster @@ -76,6 +76,9 @@ spec: logging: # can be opensearch, loki, customOutput or none. With none, the logging module won't be installed type: loki + # configurations for the loki package + loki: + tsdbStartDate: "2024-11-20" # configurations for the minio-ha package minio: # the PVC size for each minio disk, 6 disks total diff --git a/CVEs/v1.27.8/furyctl.yaml b/CVEs/v1.29.5/furyctl.yaml similarity index 96% rename from CVEs/v1.27.8/furyctl.yaml rename to CVEs/v1.29.5/furyctl.yaml index 9355c009..c7ac385c 100644 --- a/CVEs/v1.27.8/furyctl.yaml +++ b/CVEs/v1.29.5/furyctl.yaml @@ -1,4 +1,4 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/sighupio/fury-distribution/v1.27.8/schemas/public/kfddistribution-kfd-v1alpha2.json +# yaml-language-server: $schema=https://raw.githubusercontent.com/sighupio/fury-distribution/v1.30.0-rc.4/schemas/public/kfddistribution-kfd-v1alpha2.json # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. @@ -18,7 +18,7 @@ metadata: spec: # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, # it supports git tags and branches - distributionVersion: v1.27.8 + distributionVersion: v1.29.5 # This section describes how the KFD distribution will be installed distribution: # This common configuration will be applied to all the packages that will be installed in the cluster @@ -76,6 +76,9 @@ spec: logging: # can be opensearch, loki, customOutput or none. With none, the logging module won't be installed type: loki + # configurations for the loki package + loki: + tsdbStartDate: "2024-11-20" # configurations for the minio-ha package minio: # the PVC size for each minio disk, 6 disks total diff --git a/CVEs/v1.27.9/furyctl.yaml b/CVEs/v1.30.0/furyctl.yaml similarity index 96% rename from CVEs/v1.27.9/furyctl.yaml rename to CVEs/v1.30.0/furyctl.yaml index 95601714..1af8b51c 100644 --- a/CVEs/v1.27.9/furyctl.yaml +++ b/CVEs/v1.30.0/furyctl.yaml @@ -1,4 +1,4 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/sighupio/fury-distribution/v1.27.9/schemas/public/kfddistribution-kfd-v1alpha2.json +# yaml-language-server: $schema=https://raw.githubusercontent.com/sighupio/fury-distribution/v1.30.0-rc.4/schemas/public/kfddistribution-kfd-v1alpha2.json # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. @@ -18,7 +18,7 @@ metadata: spec: # This value defines which KFD version will be installed and in consequence the Kubernetes version to use to create the cluster, # it supports git tags and branches - distributionVersion: v1.27.9 + distributionVersion: v1.30.0 # This section describes how the KFD distribution will be installed distribution: # This common configuration will be applied to all the packages that will be installed in the cluster @@ -76,6 +76,9 @@ spec: logging: # can be opensearch, loki, customOutput or none. With none, the logging module won't be installed type: loki + # configurations for the loki package + loki: + tsdbStartDate: "2024-11-20" # configurations for the minio-ha package minio: # the PVC size for each minio disk, 6 disks total