Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: update KubectlLayer with the latest security patches for Helm and remove deprecated python3.7 and nodejs14.x runtimes #623

Merged
merged 56 commits into from
Jun 5, 2024

Conversation

awsdataarchitect
Copy link
Contributor

@awsdataarchitect awsdataarchitect commented Mar 8, 2024

Similar to #546, this PR adds kubectl 1.29.4 and Helm 3.14.4 security patch
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293
https://github.com/helm/helm/releases/tag/v3.14.4

Fixes #588.
Fixes #752.

Removes the EOL python3.7 runtime in the integ test and upgrade nodejs14.0 to nodejs16.0 used in custom resource provider by upgrading aws-cdk-lib from 2.28.0 to 2.85.0 in the current branch, which addresses the usage of node 14 #25995

@awsdataarchitect
Copy link
Contributor Author

awsdataarchitect commented Mar 8, 2024

@pahud @kaizencc @robertd @udaypant @cgarvis can you please review and approve this one ? The nodejs14 in aws-cdk-lib 2.28.0 is causing errors due to EOL when installing kubectl utility

@awsdataarchitect awsdataarchitect marked this pull request as draft March 9, 2024 21:31
@awsdataarchitect awsdataarchitect marked this pull request as ready for review March 9, 2024 21:35
@robertd
Copy link
Contributor

robertd commented Mar 24, 2024 via email

package.json Outdated Show resolved Hide resolved
projenrc/workflow-no-docker-patch.ts Show resolved Hide resolved
Copy link

@aaythapa aaythapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making this change!

API.md Show resolved Hide resolved
yarn.lock Outdated Show resolved Hide resolved
test/kubectl-layer.integ.ts Outdated Show resolved Hide resolved
@awsdataarchitect
Copy link
Contributor Author

awsdataarchitect commented May 4, 2024

@GavinZZ @aaythapa @pahud @kaizencc can we ship this one now ?

@awsdataarchitect
Copy link
Contributor Author

awsdataarchitect commented May 17, 2024

@pahud @kaizencc #566 - This was missed in previous release for v.129 -The golang bindings have not been published for 1.29. Appreciate if it can be published with this PR.

https://github.com/cdklabs/awscdk-asset-kubectl/blob/kubectl-v29/main/CONTRIBUTING.md?plain=1#L55

If we decide to support the requested version, a maintainer will open a new branch, kubectl-vY/main
(Y is the minor version) and update the issue accordingly. The maintainer will also open a branch called kubectl.vY
in the corresponding go binding repository, cdklabs/awscdk-kubectl-go.
ref awscdk-kubectl-go

@kriscoleman
Copy link

@pahud @kaizencc #566 - This was missed in previous release for v.129 -The golang bindings have not been published for 1.29. Appreciate if it can be published with this PR.

https://github.com/cdklabs/awscdk-asset-kubectl/blob/kubectl-v29/main/CONTRIBUTING.md?plain=1#L55

If we decide to support the requested version, a maintainer will open a new branch, kubectl-vY/main (Y is the minor version) and update the issue accordingly. The maintainer will also open a branch called kubectl.vY in the corresponding go binding repository, cdklabs/awscdk-kubectl-go. ref awscdk-kubectl-go

this is something my team is running into right now with our GO cdk app, and we're following this closely.

our stack uses an EKS construct and we set it up with k8s 1.29 but any stack updates we try to apply against that eks resource fails to update because of the kubectl layer differences, as the latest kubectl layer provided to go cdk is 1.21. This is causing our self-mutates to fail and the only way we can really update the stack when we touch the EKS resources is to do a destroy/deploy.

If we could fix the kubectl layer bindings for go cdk... this would solve a big problem for us.

Copy link

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for making this change. Apologize for the delayed response.

@awsdataarchitect
Copy link
Contributor Author

LGTM, thanks for making this change. Apologize for the delayed response.

Thanks @GavinZZ can you advise on this o "::error::Files were changed during build (see build log). If this was triggered from a fork, you will need to update your branch."
Error: Files were changed during build (see build log). If this was triggered from a fork, you will need to update your branch.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml

@mergify mergify bot merged commit e5cef1b into cdklabs:kubectl-v29/main Jun 5, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants