Security update for version 1.6

* fix the problems found when deploying version 1.6

* add dpkg fix for some VMSS extension deployment error

* fix the CIDR ranges to avoid same IP address issues

* update csi-blob driver to 1.27.4

* update cilium to 1.18.10

* fix security warnings for different docker images

* fix the rdma plugin GO package and toolchain version

* update GO to 1.25.10 with net package version for different images

* change all go versions with minor version

---------

Co-authored-by: Rui Gao <ruigao@microsoft.com>

Author: hippogr

contrib/aks/k8s-deploy/cilium.yaml

@@ -15,6 +15,7 @@ wait_for_dpkg_lock() {
         echo "Timed out waiting for dpkg lock."
         exit 124
     fi
+    dpkg --configure -a || true
     bash -c 'exec "$@"' -- "$@"
 }
 

contrib/aks/scripts/config-ipoib.sh

@@ -21,6 +21,7 @@ wait_for_dpkg_lock() {
         echo "Timed out waiting for dpkg lock."
         exit 124
     fi
+    dpkg --configure -a || true
     bash -c 'exec "$@"' -- "$@"
 }
 

contrib/aks/scripts/install-fuse.sh

@@ -42,12 +42,13 @@ def modify(yaml_url):
             node_selector_terms = data['spec']['template']['spec']['affinity']['nodeAffinity']['requiredDuringSchedulingIgnoredDuringExecution']['nodeSelectorTerms']
             node_selector_terms[0]['matchExpressions'].extend(node_affinity_config['matchExpressions'])
 
-    # Convert the modified YAML content back to a string
+    # Convert the modified YAML content back to a string, filtering out empty documents
+    documents = [doc for doc in documents if doc]
     modified_yaml_content = yaml.dump_all(documents, default_flow_style=False)
     return modified_yaml_content
 
 if __name__ == "__main__":
-    url = sys.argv[1] if len(sys.argv) > 1 else "https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/refs/heads/master/deploy/csi-blob-node.yaml"
+    url = sys.argv[1] if len(sys.argv) > 1 else "https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/refs/tags/v1.27.4/deploy/csi-blob-node.yaml"
     output_file = sys.argv[2] if len(sys.argv) > 2 else "modified_csi-blob-node.yaml"
     modified_yaml_content = modify(url)
     with open(output_file, 'w') as yaml_file:

contrib/kubespray/script/modify_csi_blob_node_yaml.py

@@ -10,7 +10,7 @@ WORKDIR /usr/src/app
 
 # Copy package files and openpaidbsdk source (needed for file: dependency resolution)
 COPY ./src/job-status-change-notification/package.json ./src/job-status-change-notification/yarn.lock* ./src/job-status-change-notification/.yarnrc.yml ./
-COPY ./src/job-status-change-notification/openpaidbsdk/package.json ./openpaidbsdk/package.json
+COPY ./src/job-status-change-notification/openpaidbsdk ./openpaidbsdk
 
 RUN corepack enable && corepack install -g yarn@4.2.2
 RUN yarn workspaces focus --production

src/alert-manager/build/job-status-change-notification.common.dockerfile

@@ -10,7 +10,10 @@ RUN tdnf update -y && tdnf clean all
 # install kusto sdk
 COPY ./src/node-issue-classifier .
 
-RUN pip3 install --no-cache-dir -r requirements.txt
+RUN tdnf remove -y python3-pip && \
+    python3 -m ensurepip && \
+    python3 -m pip install --no-cache-dir --upgrade pip && \
+    pip3 install --no-cache-dir -r requirements.txt
 
 # Run the service
 ENTRYPOINT ["python3", "classifier_scheduler.py"]

src/alert-manager/build/node-issue-classifier.common.dockerfile

@@ -9,6 +9,9 @@ RUN tdnf update -y && tdnf clean all
 
 COPY ./src/node-recycler .
 
-RUN pip3 install -r requirements.txt
+RUN tdnf remove -y python3-pip && \
+    python3 -m ensurepip && \
+    python3 -m pip install --no-cache-dir --upgrade pip && \
+    pip3 install -r requirements.txt
 
 ENTRYPOINT ["python3", "recycler.py"]

src/alert-manager/build/node-recycler.common.dockerfile

@@ -1,16 +1,16 @@
 # Redis with Built-in Monitoring Tools for Node Failure Detection
 # Based on official Redis Alpine image with custom monitoring capabilities
-FROM golang:1.25 AS gosu
+FROM golang:1.25.10 AS gosu
 
 WORKDIR /src
 
 RUN git clone --branch 1.19 --depth 1 https://github.com/tianon/gosu.git .
 
-RUN go mod edit -go=1.25 \
- && go mod edit -toolchain=go1.25 \
- && go mod tidy -compat=1.25
+RUN go mod edit -go=1.25.10 \
+ && go mod edit -toolchain=go1.25.10 \
+ && go mod tidy -compat=1.25.10
 
-RUN go get -u ./... && go mod tidy -compat=1.25
+RUN go get -u ./... && go mod tidy -compat=1.25.10
 
 RUN go mod download
 

src/alert-manager/build/redis-monitoring.common.dockerfile

@@ -74,7 +74,8 @@
     "flatted": "^3.4.2",
     "ajv": "^6.14.0",
     "nodemailer": "^8.0.5",
-    "follow-redirects": "^1.16.0"
+    "follow-redirects": "^1.16.0",
+    "ip-address": "^10.1.1"
   },
   "scripts": {
     "lint": "eslint .",

src/alert-manager/src/alert-handler/package.json

@@ -2632,10 +2632,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ip-address@npm:^10.0.1":
-  version: 10.1.0
-  resolution: "ip-address@npm:10.1.0"
-  checksum: 10c0/0103516cfa93f6433b3bd7333fa876eb21263912329bfa47010af5e16934eeeff86f3d2ae700a3744a137839ddfad62b900c7a445607884a49b5d1e32a3d7566
+"ip-address@npm:^10.1.1":
+  version: 10.2.0
+  resolution: "ip-address@npm:10.2.0"
+  checksum: 10c0/5a00aada6e922c9c69dfc800ed5d0fa3348675ebdeed0e1575f503f27ca385b5f534363c9af7ad1daf64c1f1409388cdd3cc2e9b9b0fe1c924a431378d55075a
   languageName: node
   linkType: hard