Merge pull request #224 from cloudogu/feature/update-kubernetes

nihussmann · web-flow · commit b8e5821a7913 · 2024-09-20T10:02:04.000+02:00
Update to kubernetes 1.29.8
diff --git a/Dockerfile b/Dockerfile
@@ -5,20 +5,20 @@ ARG JDK_VERSION='17'
 # Set by the micronaut BOM, see pom.xml
 ARG GRAAL_VERSION='22.3.0'
 
-FROM alpine:3 as alpine
+FROM alpine:3 AS alpine
 
 # Keep in sync with the version in pom.xml
 FROM ghcr.io/graalvm/graalvm-ce:ol8-java${JDK_VERSION}-${GRAAL_VERSION} AS graal
 
-FROM graal as maven-cache
+FROM graal AS maven-cache
 ENV MAVEN_OPTS='-Dmaven.repo.local=/mvn'
 WORKDIR /app
 COPY .mvn/ /app/.mvn/
 COPY mvnw /app/
 COPY pom.xml /app/
 RUN ./mvnw dependency:resolve-plugins dependency:go-offline -B 
 
-FROM graal as maven-build
+FROM graal AS maven-build
 ENV MAVEN_OPTS='-Dmaven.repo.local=/mvn'
 COPY --from=maven-cache /mvn/ /mvn/
 COPY --from=maven-cache /app/ /app
@@ -38,15 +38,15 @@ RUN ./mvnw package -DskipTests
 RUN mv $(ls -S target/*.jar | head -n 1) /app/gitops-playground.jar
 
 
-FROM alpine as downloader
+FROM alpine AS downloader
 RUN apk add curl grep
 # When updating, 
 # * also update the checksum found at https://dl.k8s.io/release/v${K8S_VERSION}/bin/linux/amd64/kubectl.sha256
 # * also update in init-cluster.sh. vars.tf, ApplicationConfigurator.groovy and apply.sh
 # When upgrading to 1.26 we can verify the kubectl signature with cosign!
 # https://kubernetes.io/blog/2022/12/12/kubernetes-release-artifact-signing/
-ARG K8S_VERSION=1.29.1
-ARG KUBECTL_CHECKSUM=69ab3a931e826bf7ac14d38ba7ca637d66a6fcb1ca0e3333a2cafdf15482af9f
+ARG K8S_VERSION=1.29.8
+ARG KUBECTL_CHECKSUM=038454e0d79748aab41668f44ca6e4ac8affd1895a94f592b9739a0ae2a5f06a
 # When updating, also upgrade helm image in ApplicationConfigurator
 ARG HELM_VERSION=3.15.4
 # bash curl unzip required for Jenkins downloader
@@ -131,7 +131,7 @@ RUN touch /dist/root/.config/jgit/config
 RUN chmod +r /dist/root/ && chmod g+rw /dist/root/.config/jgit/
 
 # This stage builds a static binary using graal VM. For details see docs/developers.md#GraalVM
-FROM graal as native-image
+FROM graal AS native-image
 ENV MAVEN_OPTS='-Dmaven.repo.local=/mvn'
 RUN gu install native-image
 RUN microdnf install gnupg
@@ -207,13 +207,13 @@ RUN native-image -Dgroovy.grape.enable=false \
 
 
 
-FROM alpine as prod
+FROM alpine AS prod
 # copy groovy cli binary from native-image stage
 COPY --from=native-image /app/apply-ng app/apply-ng
 ENTRYPOINT ["/app/apply-ng"]
 
 
-FROM eclipse-temurin:${JDK_VERSION}-jre-alpine as dev
+FROM eclipse-temurin:${JDK_VERSION}-jre-alpine AS dev
 
 # apply-ng.sh is part of the dev image and allows trying changing groovy code inside the image for debugging
 # Allow changing code in dev mode, less secure, but the intention of the dev image
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -3,8 +3,8 @@
 import com.cloudogu.ces.cesbuildlib.*
 
 String getDockerRegistryBaseUrl() { 'ghcr.io' }
-
 String getDockerImageName() { 'cloudogu/gitops-playground' }
+String getTrivyVersion() { '0.55.0'}
 
 properties([
         // Dont keep builds forever to preserve space
@@ -207,7 +207,8 @@ def scanForCriticalVulns(String imageName, String fileName){
     trivyConfig = [
             imageName      : imageName,
             severity       : ['CRITICAL'],
-            additionalFlags: '--ignore-unfixed'
+            additionalFlags: '--ignore-unfixed',
+            trivyVersion: trivyVersion
     ]
 
     def vulns = findVulnerabilitiesWithTrivy(trivyConfig)
@@ -221,7 +222,8 @@ def scanForCriticalVulns(String imageName, String fileName){
 
 def scanForAllVulns(String imageName, String fileName){
     trivyConfig = [
-            imageName      : imageName
+            imageName      : imageName,
+            trivyVersion: trivyVersion
     ]
 
     def vulns = findVulnerabilitiesWithTrivy(trivyConfig)
diff --git a/docs/k3d.md b/docs/k3d.md
@@ -114,7 +114,7 @@ k3d cluster create gitops-playground \
   # Mount port for ingress
   -p 80:80@server:0:direct \
   # Pin image for reproducibility
-  --image=rancher/k3s:v1.29.1-k3s2 \
+  --image=rancher/k3s:v1.29.8-k3s2 \
   # Disable built-in ingress controller, because we want to use the same one locally and in prod
   --k3s-arg=--disable=traefik@server:0 \
   # Allow node ports < 30000
diff --git a/scripts/init-cluster.sh b/scripts/init-cluster.sh
@@ -4,8 +4,8 @@
 # This variable is also read in Jenkinsfile
 K3D_VERSION=5.6.0
 # When updating please also adapt in Dockerfile, vars.tf and ApplicationConfigurator.groovy
-K8S_VERSION=1.29.1
-K3S_VERSION="rancher/k3s:v${K8S_VERSION}-k3s2"
+K8S_VERSION=1.29.8
+K3S_VERSION="rancher/k3s:v${K8S_VERSION}-k3s1"
 
 set -o errexit
 set -o nounset
