fix: eliminate critical/high vulnerabilities and add Grype/Scout scanning targets (#427)

kriscoleman · web-flow · commit 3a08e0e2c8c3 · 2026-05-11T13:29:01.000-04:00
fix: static binary, trixie-slim runtime, Grype/Scout targets, and CMX E2E tests - Build a fully static binary (CGO_ENABLED=0) so the runtime image no longer needs runtime library packages. - Switch runtime base from debian:bookworm-slim to debian:trixie-slim. Fresh scans (May 2026) show trixie carries fewer inherited CVEs: Grype: 2 critical / 12 high (vs 3 / 22 on bookworm) Scout: 0 critical / 0 high (vs 0 / 4 on bookworm) Also fixes CVE-2026-33845 (gnutls) and CVE-2023-45853 (zlib). - Add Makefile targets for vulnerability scanning: make grype-repo # Grype filesystem scan make grype-image # Grype image scan make docker-scout-image # Docker Scout image scan - Add automated E2E test automation via Replicated CMX: scripts/e2e-test.sh # VM lifecycle + kURL + health checks scripts/kurl-installer-minimal.yaml # Minimal kURL spec for speed make test-e2e / make test-e2e-ci # Local and CI entrypoints - Add .github/workflows/e2e-test.yaml triggered on push to main or workflow_dispatch. Auto-discovers accessible Replicated apps, validates the API token, and skips gracefully when unavailable. - Add AGENTS.md and CLAUDE.md project documentation. - Update README.md to document the automated E2E workflow.
diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml
@@ -0,0 +1,114 @@
+name: e2e-test
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      ekco_image:
+        description: 'EKCO image to test (e.g. ttl.sh/user/ekco:tag)'
+        required: true
+        type: string
+      replicated_app:
+        description: 'Replicated app slug to use for CMX (default: kurl-sandbox)'
+        required: false
+        type: string
+        default: 'kurl-sandbox'
+
+jobs:
+  e2e-test:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Install replicated CLI
+        run: |
+          REPLICATED_VERSION=$(curl -s https://api.github.com/repos/replicatedhq/replicated/releases/latest | jq -r '.tag_name | ltrimstr("v")')
+          curl -fsSL "https://github.com/replicatedhq/replicated/releases/download/v${REPLICATED_VERSION}/replicated_${REPLICATED_VERSION}_linux_amd64.tar.gz" | tar -xz -C /tmp
+          sudo mv /tmp/replicated /usr/local/bin/replicated
+          replicated version
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_ed25519
+          cat ~/.ssh/id_ed25519.pub
+
+      - name: Build and push image (main)
+        if: github.event_name != 'workflow_dispatch'
+        run: |
+          make docker-image DOCKER_IMAGE=ttl.sh/replicated/ekco:$GITHUB_SHA VERSION=$GITHUB_REF_NAME
+          docker push ttl.sh/replicated/ekco:$GITHUB_SHA
+          echo "EKCO_IMAGE=ttl.sh/replicated/ekco:$GITHUB_SHA" >> $GITHUB_ENV
+
+      - name: Build and push image (manual)
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          make docker-image DOCKER_IMAGE=${{ inputs.ekco_image }} VERSION=$GITHUB_REF_NAME
+          docker push ${{ inputs.ekco_image }}
+          echo "EKCO_IMAGE=${{ inputs.ekco_image }}" >> $GITHUB_ENV
+
+      - name: Check Replicated API token
+        id: check-token
+        env:
+          REPLICATED_API_TOKEN: ${{ secrets.REPLICATED_API_TOKEN }}
+          INPUT_APP: ${{ inputs.replicated_app }}
+        run: |
+          if [ -z "$REPLICATED_API_TOKEN" ]; then
+            echo "REPLICATED_API_TOKEN secret is not configured. Skipping E2E tests."
+            echo "skipped=true" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          test_app() {
+            local app="$1"
+            replicated --token "$REPLICATED_API_TOKEN" --app "$app" installer ls --output json > /dev/null 2>&1
+          }
+
+          CANDIDATE_APP="${INPUT_APP:-kurl-sandbox}"
+          if test_app "$CANDIDATE_APP"; then
+            echo "Using app: $CANDIDATE_APP"
+            echo "replicated_app=$CANDIDATE_APP" >> $GITHUB_OUTPUT
+            echo "skipped=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "Cannot access app '$CANDIDATE_APP'. Searching for an accessible app with installers..."
+          APP_LIST=$(replicated --token "$REPLICATED_API_TOKEN" app ls --output json 2>&1 || true)
+          SLUGS=$(echo "$APP_LIST" | jq -r '.[].app.slug' 2>/dev/null || true)
+
+          for slug in $SLUGS; do
+            if test_app "$slug"; then
+              echo "Found accessible app with installers: $slug"
+              echo "replicated_app=$slug" >> $GITHUB_OUTPUT
+              echo "skipped=false" >> $GITHUB_OUTPUT
+              exit 0
+            fi
+          done
+
+          echo "No accessible app with installers found. Skipping E2E tests."
+          echo "skipped=true" >> $GITHUB_OUTPUT
+
+      - name: Run E2E tests
+        if: steps.check-token.outputs.skipped != 'true'
+        env:
+          REPLICATED_APP: ${{ steps.check-token.outputs.replicated_app }}
+          REPLICATED_API_TOKEN: ${{ secrets.REPLICATED_API_TOKEN }}
+          SSH_KEY: ~/.ssh/id_ed25519
+          VM_TTL: 2h
+        run: |
+          make test-e2e-ci
+
+      - name: Upload logs on failure
+        if: failure() && steps.check-token.outputs.skipped != 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: e2e-logs
+          path: /tmp/e2e-*.log
+          retention-days: 7
diff --git a/.gitignore b/.gitignore
@@ -17,4 +17,6 @@ vendor/
 # Additional
 *DS_Store
 /bin/
-.idea
+.idea
+
+.envrc
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,95 @@
+# EKCO — Agent Guide
+
+Compact, repo-specific guidance for OpenCode sessions.
+
+## What this is
+
+EKCO (Embedded kURL cluster operator) is a single Go binary that runs as a Kubernetes operator to maintain the health of a kURL cluster. It is **not** a library or multi-service repo.
+
+- **Language / toolchain:** Go (module `github.com/replicatedhq/ekco`)
+- **Entrypoint:** `cmd/ekco/main.go`
+- **CLI framework:** Cobra / Viper (commands live in `cmd/ekco/cli/`)
+- **Primary command:** `ekco operator` (long-running operator)
+- **Other commands:** `purge-node`, `rotate-certs`, `regen-cert`, `change-load-balancer`, `generate-haproxy-*`, `set-kubeconfig-server` (see `cmd/ekco/cli/`)
+
+## Build, test, lint
+
+Use the Makefile. Do not guess the Go version or linter config.
+
+```bash
+# Install tooling (golangci-lint)
+make deps
+
+# Full verification — order enforced by Makefile: lint -> vet -> test
+make test
+
+# Build binary (outputs bin/ekco)
+make build
+
+# Build Docker image
+make docker-image
+```
+
+**Lint rules are non-default.** `.golangci.yaml` disables `errcheck` and `staticcheck`, and ignores all `*_test.go` files (`exclusions.paths`). Do not re-enable them locally.
+
+**Test scope:** `go test ./pkg/... ./cmd/...` — only `pkg` and `cmd`; there is no root-level test target.
+
+## Docker / deploy quirks
+
+- The Dockerfile is at `deploy/Dockerfile`, not the repo root.
+- `ROOK_VERSION` defaults to `1.11.8` in the Makefile and Dockerfile.
+- The build stage downloads Helm and pulls `rook-ceph-cluster` chart into `pkg/helm/charts`.
+- Git SHA / version are injected via ldflags at build time (`pkg/version`).
+
+## Manual integration testing
+
+Do **not** use `make docker-image && kubectl apply -k deploy/` — the README notes this is broken and out of sync.
+
+Current workflow (from README):
+
+1. `make build-ttl.sh` — pushes a temporary image to `ttl.sh/${USER}/ekco:12h`.
+2. Deploy a kURL cluster that includes EKCO.
+3. Patch the deployment:
+   ```bash
+   kubectl edit -n kurl deployment/ekc-operator
+   # set image to ttl.sh/<user>/ekco:12h and imagePullPolicy: Always
+   kubectl delete pod -l app=ekc-operator -n kurl
+   ```
+
+## Mocks
+
+Generated with `github.com/golang/mock`:
+
+```bash
+make generate-mocks
+```
+
+This currently only covers `pkg/k8s/exec.go` → `pkg/k8s/mock/mock_exec.go`.
+
+## Monorepo boundaries
+
+There are none. The repo is a single Go module with two top-level directories:
+
+- `cmd/` — CLI commands and `main.go`
+- `pkg/` — operator logic, cluster controller, K8s clients, webhooks, cert rotation, object-store helpers, etc.
+- `deploy/` — Dockerfile, Kustomize manifests, and RBAC for the operator
+
+No frontend, no separate API service, no nested Go modules.
+
+## Key external dependencies & constraints
+
+- Deep integration with **Rook Ceph**, **Kubernetes**, **Contour**, **Velero**, **etcd**, and **Prometheus Operator**.
+- `go.mod` carries a large set of `replace` and `exclude` blocks inherited from Rook. Do not prune them; they resolve transitive conflicts.
+- CI uses `go-version-file: 'go.mod'` so the declared Go version is the source of truth.
+
+## CI / release conventions
+
+- **PRs:** `make deps test build` + `make docker-image` (pushed to `ttl.sh`).
+- **Main branch:** `make docker-image` pushed to `replicated/ekco:alpha`.
+- **Releases:** Push a semver tag `v*.*.*` (e.g. `git tag -a v0.1.0 -m "Release v0.1.0" && git push origin v0.1.0`). Image is pushed to `replicated/ekco:<tag>`.
+- Scheduled vulnerability scans use Grype (`.grype.yaml`) against the repo and the built image.
+
+## When in doubt
+
+- Prefer `Makefile` targets over raw `go` commands — ldflags and build args matter.
+- Trust executable configs (`Makefile`, `.golangci.yaml`, `.github/workflows/`) over prose in README for build/test steps.
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md
diff --git a/Makefile b/Makefile
@@ -42,6 +42,8 @@ clean:
 .PHONY: deps
 deps:
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell go env GOPATH)/bin v2.11.4
+	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $(shell go env GOPATH)/bin
+	go install github.com/golang/mock/mockgen@v1.6.0
 
 .PHONY: lint
 lint:
@@ -82,7 +84,35 @@ build-ttl.sh: ## Build the EKCO Docker container and deploy it to ttl.sh for use
 		.
 	docker push ttl.sh/${CURRENT_USER}/ekco:12h
 
+.PHONY: install-grype
+install-grype:
+	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $(shell go env GOPATH)/bin
+
+.PHONY: grype-repo
+grype-repo: ## Scan the repo filesystem for vulnerabilities using Grype
+	grype dir:.
+
+.PHONY: grype-image
+grype-image: ## Scan the Docker image for vulnerabilities using Grype (image must exist locally)
+	grype $(DOCKER_IMAGE)
+
+.PHONY: docker-scout-image
+docker-scout-image: ## Scan the Docker image for vulnerabilities using Docker Scout (image must exist locally)
+	docker scout cves $(DOCKER_IMAGE)
+
 .PHONY: generate-mocks
 generate-mocks: ## Generate mocks tests for CLI and preflight. More info: https://github.com/golang/mock
 	go install github.com/golang/mock/mockgen@v1.6.0
 	mockgen -source=pkg/k8s/exec.go -destination=pkg/k8s/mock/mock_exec.go
+
+.PHONY: test-e2e
+test-e2e: build-ttl.sh ## Run E2E tests on a kURL cluster in CMX.
+	EKCO_IMAGE=ttl.sh/$(CURRENT_USER)/ekco:12h ./scripts/e2e-test.sh
+
+.PHONY: test-e2e-ci
+test-e2e-ci: ## Run E2E tests in CI using an already-built image.
+	@if [ -z "$(EKCO_IMAGE)" ]; then \
+		echo "ERROR: EKCO_IMAGE must be set for CI e2e tests"; \
+		exit 1; \
+	fi
+	./scripts/e2e-test.sh
diff --git a/README.md b/README.md
@@ -23,6 +23,9 @@ Steps
    2. Replace .spec.imagePullPolicy with "Always"
    3. **kubectl delete pod -l app=ekc-operator -n kurl** - Delete the pod in the deployment to pull the new image
 
+### Automated testing
+The `scripts/e2e-test.sh` script automates the above manual workflow using [Replicated CMX](https://docs.replicated.com/vendor/testing-about). It provisions a CMX VM, installs a kURL cluster, patches the EKCO deployment with a ttl.sh image, and runs health checks. Run `make test-e2e` after `make build-ttl.sh` to use it.
+
 
 ## Release
 
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -17,16 +17,15 @@ RUN helm repo add rook-release https://charts.rook.io/release
 RUN helm repo update
 RUN helm pull rook-release/rook-ceph-cluster --version $rook_version && mv rook-ceph-cluster-* pkg/helm/charts
 
-RUN make build GIT_SHA=$git_sha VERSION=$version
+RUN CGO_ENABLED=0 make build GIT_SHA=$git_sha VERSION=$version
 
 
-FROM debian:bookworm-slim
+FROM debian:trixie-slim
 
-RUN DEBIAN_FRONTEND=noninteractive apt-get update -qq && apt-get upgrade -qq && apt-get install -y --no-install-recommends \
-    libgcrypt20 \
-    libgnutls30 \
-    liblz4-1 \
-    && rm -rf /var/lib/apt/lists/*
+# Even though the binary is fully static and we don't install new packages,
+# apt-get upgrade patches existing base-image packages so vulnerability scans
+# (Grype, Docker Scout) report fewer inherited CVEs.
+RUN DEBIAN_FRONTEND=noninteractive apt-get update -qq && apt-get upgrade -qq && rm -rf /var/lib/apt/lists/*
 
 COPY --from=build /go/src/github.com/replicatedhq/ekco/bin/* /usr/bin/
 
@@ -36,4 +35,4 @@ ARG version=alpha
 ENV GIT_SHA=$git_sha
 ENV VERSION=$version
 
-ENTRYPOINT /usr/bin/ekco
+ENTRYPOINT ["/usr/bin/ekco"]
diff --git a/scripts/e2e-test.sh b/scripts/e2e-test.sh
diff --git a/scripts/kurl-installer-minimal.yaml b/scripts/kurl-installer-minimal.yaml
diff --git a/scripts/kurl-installer.yaml b/scripts/kurl-installer.yaml
