Merge branch 'development/130.0' into improvement/ARTESCA-14988-bump-loki

Author: vdaviot

.github/workflows/generate-sbom.yaml

@@ -31,7 +31,7 @@ on:
 
 jobs:
   generate-sbom:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       BASE_PATH: ${{ github.workspace }}/metalk8s_sbom
       SBOM_PATH: ${{ github.workspace }}/artifacts/sbom
@@ -49,24 +49,9 @@ jobs:
       - name: Create directories
         shell: bash
         run: |
-          mkdir -p ${{ env.BASE_PATH }}/repo
           mkdir -p ${{ env.BASE_PATH }}/iso
           mkdir -p ${{ env.SBOM_PATH }}
 
-      - name: Checkout repo for scanning
-        uses: actions/checkout@v4  
-        with:  
-          fetch-depth: 0  
-          fetch-tags: true
-          ref: ${{ inputs.ref }}
-          path: ${{ env.BASE_PATH }}/repo/metalk8s
-
-      - name: Generate sbom for repository
-        uses: scality/sbom@v1.2.2
-        with:
-          target: ${{ env.BASE_PATH }}/repo/metalk8s
-          output-dir: ${{ env.SBOM_PATH }}
-
       - name: Get artifacts URL
         if: ${{ ! inputs.artifacts-url }}
         uses: scality/action-artifacts@v4
@@ -98,24 +83,31 @@ jobs:
           echo "METALK8S_VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Generate sbom for extracted ISO
-        uses: scality/sbom@v1.2.2
+        uses: scality/sbom@v2.1.0
         with:
           target: ${{ env.BASE_PATH }}/iso/metalk8s.iso
-          output-dir: ${{ env.SBOM_PATH }}
+          target_type: iso
+          output_dir: ${{ env.SBOM_PATH }}
           version: ${{ env.METALK8S_VERSION }}
+          vuln: true
+          vuln_output_format: cyclonedx-json, html
+          merge: true
+          merge_hierarchical: true
 
       - name: Generate archive
         shell: bash
         run: |
           cd ${{ env.SBOM_PATH }}
-          tar -czf sbom_metalk8s.tar.gz *.json
+          tar -czf sbom_metalk8s.tar.gz *.json *.html
 
       - name: Clean up
         shell: bash
         run: |
-          rm -rf ${{ env.BASE_PATH }}/repo
           rm -rf ${{ env.BASE_PATH }}/iso
-          rm -f ${{ env.SBOM_PATH }}/*.json
+          find ${{ env.SBOM_PATH }} -mindepth 1 \
+            -not -name 'sbom_metalk8s.tar.gz' \
+            -not -name '*_merged_sbom_vuln.html' \
+            -exec rm -rf {} +
             
       - name: Generate Job result
         if: always()

CHANGELOG.md

@@ -17,6 +17,10 @@
   [v2.42.0](https://github.com/dexidp/dex/releases/tag/v2.42.0)
   (PR[#4558](https://github.com/scality/metalk8s/pull/4558))
 
+- Bump Fluent Bit image version to [3.2.8](https://github.com/fluent/fluent-bit/releases/tag/v3.2.8)
+  and Fluent Bit Helm chart version to [0.48.9](https://github.com/fluent/helm-charts/releases/tag/fluent-bit-0.48.9)
+  (PR[#4559](https://github.com/scality/metalk8s/pull/4559))
+
 - Bump Loki chart version to
   [6.29.0](https://github.com/grafana/loki/releases/tag/helm-loki-6.29.0)
   The Loki image has been bumped accordingly to

buildchain/buildchain/versions.py

@@ -273,8 +273,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
     ),
     Image(
         name="fluent-bit",
-        version="3.1.9",
-        digest="sha256:4af3920cc2ff976200e0fc09f23e7ca4ee7d4477a6d592cb496fc39378181b02",
+        version="3.2.8",
+        digest="sha256:14da4a52ecdbb9bd9cb7a16ff6b4c7f391a4006cb13f84b5957e4608cc613e2c",
     ),
     Image(
         name="cert-manager-controller",

charts/fluent-bit/Chart.yaml

@@ -1,9 +1,9 @@
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: "Updated Fluent Bit OCI image to v3.1.9"
+      description: "Updated Fluent Bit OCI image to v3.2.8."
 apiVersion: v1
-appVersion: 3.1.9
+appVersion: 3.2.8
 description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD
   family operating systems.
 home: https://fluentbit.io/
@@ -24,4 +24,4 @@ maintainers:
 name: fluent-bit
 sources:
 - https://github.com/fluent/fluent-bit/
-version: 0.47.10
+version: 0.48.9

charts/fluent-bit/README.md

@@ -27,7 +27,7 @@ Fluent Bit allows us to build filter to modify the incoming records using custom
 
 ### How to use Lua scripts with this Chart
 
-First, you should add your Lua scripts to `luaScripts` in values.yaml, for example:
+First, you should add your Lua scripts to `luaScripts` in values.yaml, templating is supported.
 
 ```yaml
 luaScripts:

charts/fluent-bit/ci/ci-values.yaml

@@ -3,6 +3,41 @@ testFramework:
 
 logLevel: debug
 
+extraVolumeMounts:
+  - name: extra-volume
+    mountPath: /extra-volume-path
+  - name: another-extra-volume
+    mountPath: /another-extra-volume-path
+
+extraVolumes:
+  - name: extra-volume
+    emptyDir: {}
+  - name: another-extra-volume
+    emptyDir: {}
+
 dashboards:
   enabled: true
   deterministicUid: true
+
+luaScripts:
+  filter_example.lua: |
+    function filter_name(tag, timestamp, record)
+        -- put your lua code here.
+    end
+  filter_with_templating_example.lua: |
+    local log_level = {{ .Values.logLevel | quote }}
+    function filter_with_templating_name(tag, timestamp, record)
+        -- put your lua code here.
+    end
+
+config:
+  outputs: |
+    [OUTPUT]
+        name   stdout
+        match  *
+
+hotReload:
+  enabled: true
+  extraWatchVolumes:
+    - extra-volume
+    - another-extra-volume

charts/fluent-bit/templates/_pod.tpl

@@ -108,11 +108,18 @@ containers:
       - {{ printf "-webhook-url=http://localhost:%s/api/v2/reload" (toString .Values.metricsPort) }}
       - -volume-dir=/watch/config
       - -volume-dir=/watch/scripts
+      {{- range $idx, $val := .Values.hotReload.extraWatchVolumes }}
+      - {{ printf "-volume-dir=/watch/extra-%d" (int $idx) }}
+      {{- end }}
     volumeMounts:
       - name: config
         mountPath: /watch/config
       - name: luascripts
         mountPath: /watch/scripts
+      {{- range $idx, $val := .Values.hotReload.extraWatchVolumes }}
+      - name: {{ $val }}
+        mountPath: {{ printf "/watch/extra-%d" (int $idx) }}
+      {{- end }}
     {{- with .Values.hotReload.resources }}
     resources:
       {{- toYaml . | nindent 12 }}
@@ -132,7 +139,7 @@ volumes:
 {{- if or .Values.luaScripts .Values.hotReload.enabled }}
   - name: luascripts
     configMap:
-      name: {{ include "fluent-bit.fullname" . }}-luascripts
+      name: {{ include "fluent-bit.fullname" . }}-luascripts 
 {{- end }}
 {{- if eq .Values.kind "DaemonSet" }}
   {{- toYaml .Values.daemonSetVolumes | nindent 2 }}

charts/fluent-bit/templates/configmap-luascripts.yaml

@@ -8,6 +8,6 @@ metadata:
     {{- include "fluent-bit.labels" . | nindent 4 }}
 data:
   {{ range $key, $value := .Values.luaScripts }}
-  {{ $key }}: {{ $value | quote }}
+  {{ $key }}: {{ (tpl $value $) | quote }}
   {{ end }}
 {{- end -}}

charts/fluent-bit/templates/psp.yaml

@@ -20,12 +20,15 @@ spec:
   hostNetwork: {{ .Values.hostNetwork }}
   hostIPC: false
   hostPID: false
+{{- with .Values.podSecurityPolicy.runAsUser }}
   runAsUser:
-    # TODO: Require the container to run without root privileges.
-    rule: 'RunAsAny'
+  {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.podSecurityPolicy.seLinux }}
   seLinux:
-    # This policy assumes the nodes are using AppArmor rather than SELinux.
-    rule: 'RunAsAny'
+  {{- toYaml . | nindent 4 }}
+{{- end }}
+
   supplementalGroups:
     rule: 'MustRunAs'
     ranges:

charts/fluent-bit/templates/scc.yaml

@@ -24,10 +24,14 @@ forbiddenSysctls:
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
   - MKNOD
+{{- with .Values.openShift.securityContextConstraints.runAsUser }}
 runAsUser:
-  type: RunAsAny
+  {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.openShift.securityContextConstraints.seLinuxContext }}
 seLinuxContext:
-  type: MustRunAs
+  {{- toYaml . | nindent 4 }}
+{{- end }}
 supplementalGroups:
   type: RunAsAny
 volumes: