diff --git a/cmd/vela-worker/exec.go b/cmd/vela-worker/exec.go index 0e05264c6..45f2f0398 100644 --- a/cmd/vela-worker/exec.go +++ b/cmd/vela-worker/exec.go @@ -70,19 +70,21 @@ func (w *Worker) exec(index int) error { // // https://godoc.org/github.com/go-vela/worker/executor#New _executor, err := executor.New(&executor.Setup{ - Logger: logger, - Mock: w.Config.Mock, - Driver: w.Config.Executor.Driver, - LogMethod: w.Config.Executor.LogMethod, - MaxLogSize: w.Config.Executor.MaxLogSize, - Client: w.VelaClient, - Hostname: w.Config.API.Address.Hostname(), - Runtime: w.Runtime, - Build: item.Build, - Pipeline: item.Pipeline.Sanitize(w.Config.Runtime.Driver), - Repo: item.Repo, - User: item.User, - Version: v.Semantic(), + Logger: logger, + Mock: w.Config.Mock, + Driver: w.Config.Executor.Driver, + LogMethod: w.Config.Executor.LogMethod, + MaxLogSize: w.Config.Executor.MaxLogSize, + EnforceTrustedRepos: w.Config.Executor.EnforceTrustedRepos, + PrivilegedImages: w.Config.Runtime.PrivilegedImages, + Client: w.VelaClient, + Hostname: w.Config.API.Address.Hostname(), + Runtime: w.Runtime, + Build: item.Build, + Pipeline: item.Pipeline.Sanitize(w.Config.Runtime.Driver), + Repo: item.Repo, + User: item.User, + Version: v.Semantic(), }) // add the executor to the worker diff --git a/cmd/vela-worker/run.go b/cmd/vela-worker/run.go index c7c1e2897..2fadcddc4 100644 --- a/cmd/vela-worker/run.go +++ b/cmd/vela-worker/run.go @@ -93,9 +93,10 @@ func run(c *cli.Context) error { CheckIn: c.Duration("checkIn"), // executor configuration Executor: &executor.Setup{ - Driver: c.String("executor.driver"), - LogMethod: c.String("executor.log_method"), - MaxLogSize: c.Uint("executor.max_log_size"), + Driver: c.String("executor.driver"), + LogMethod: c.String("executor.log_method"), + MaxLogSize: c.Uint("executor.max_log_size"), + EnforceTrustedRepos: c.Bool("executor.enforce-trusted-repos"), }, // logger configuration Logger: &Logger{ diff --git a/docker-compose.yml b/docker-compose.yml index 876a9ff41..544e898cd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -29,6 +29,7 @@ services: VELA_LOG_LEVEL: trace VELA_RUNTIME_DRIVER: docker VELA_RUNTIME_PRIVILEGED_IMAGES: 'target/vela-docker' + VELA_EXECUTOR_ENFORCE_TRUSTED_REPOS: 'true' VELA_SERVER_ADDR: 'http://server:8080' VELA_SERVER_SECRET: 'zB7mrKDTZqNeNTD8z47yG4DHywspAh' WORKER_ADDR: 'http://worker:8080' @@ -122,7 +123,7 @@ services: # https://www.postgresql.org/ postgres: container_name: postgres - image: postgres:14-alpine + image: postgres:15-alpine networks: - vela environment: diff --git a/executor/flags.go b/executor/flags.go index df9d7743f..95c96cfc2 100644 --- a/executor/flags.go +++ b/executor/flags.go @@ -37,4 +37,11 @@ var Flags = []cli.Flag{ Name: "executor.max_log_size", Usage: "maximum log size (in bytes)", }, + &cli.BoolFlag{ + EnvVars: []string{"VELA_EXECUTOR_ENFORCE_TRUSTED_REPOS", "EXECUTOR_ENFORCE_TRUSTED_REPOS"}, + FilePath: "/vela/executor/enforce_trusted_repos", + Name: "executor.enforce-trusted-repos", + Usage: "enforce trusted repo restrictions for privileged images", + Value: true, + }, } diff --git a/executor/linux/build.go b/executor/linux/build.go index 8f01fe5df..8fa38f246 100644 --- a/executor/linux/build.go +++ b/executor/linux/build.go @@ -14,7 +14,9 @@ import ( "golang.org/x/sync/errgroup" "github.com/go-vela/types/constants" + "github.com/go-vela/types/library" "github.com/go-vela/worker/internal/build" + "github.com/go-vela/worker/internal/image" "github.com/go-vela/worker/internal/step" ) @@ -42,6 +44,74 @@ func (c *client) CreateBuild(ctx context.Context) error { return fmt.Errorf("unable to upload build state: %w", c.err) } + // before setting up the build, enforce repo.trusted is set for pipelines containing privileged images + // this configuration is set as an executor flag + if c.enforceTrustedRepos { + // check if pipeline steps contain privileged images + // assume no privileged images are in use + containsPrivilegedImages := false + + // group steps services and stages together + containers := c.pipeline.Steps + + containers = append(containers, c.pipeline.Services...) + for _, stage := range c.pipeline.Stages { + containers = append(containers, stage.Steps...) + } + + for _, container := range containers { + // TODO: remove hardcoded reference + if container.Image == "#init" { + continue + } + + for _, pattern := range c.privilegedImages { + privileged, err := image.IsPrivilegedImage(container.Image, pattern) + if err != nil { + return fmt.Errorf("could not verify if image %s is privileged", container.Image) + } + + if privileged { + containsPrivilegedImages = true + } + } + } + + // check if this build should be denied + if (containsPrivilegedImages) && !(c.repo != nil && c.repo.GetTrusted()) { + // deny the build, clean build/steps, and return error + // populate the build error + e := "build denied, repo must be trusted in order to run privileged images" + c.build.SetError(e) + // set the build status to error + c.build.SetStatus(constants.StatusError) + + steps := c.pipeline.Steps + for _, stage := range c.pipeline.Stages { + steps = append(containers, stage.Steps...) + } + + // update all preconfigured steps to the correct status + for _, s := range steps { + // extract step + step := library.StepFromBuildContainer(c.build, s) + // status to use for preconfigured steps that are not ran + status := constants.StatusKilled + // set step status + step.SetStatus(status) + // send API call to update the step + //nolint:contextcheck // ignore passing context + _, _, err := c.Vela.Step.Update(c.repo.GetOrg(), c.repo.GetName(), c.build.GetNumber(), step) + if err != nil { + // only log any step update errors to allow the return err to run + c.Logger.Errorf("unable to update step %s to status %s: %s", s.Name, status, err.Error()) + } + } + + return fmt.Errorf("build containing privileged images %s/%d denied, repo is not trusted", c.repo.GetFullName(), c.build.GetNumber()) + } + } + // setup the runtime build c.err = c.Runtime.SetupBuild(ctx, c.pipeline) if c.err != nil { diff --git a/executor/linux/build_test.go b/executor/linux/build_test.go index 334a34b6e..42d465b32 100644 --- a/executor/linux/build_test.go +++ b/executor/linux/build_test.go @@ -130,6 +130,529 @@ func TestLinux_CreateBuild(t *testing.T) { } } +func TestLinux_CreateBuild_EnforceTrustedRepos(t *testing.T) { + // setup types + compiler, _ := native.New(cli.NewContext(nil, flag.NewFlagSet("test", 0), nil)) + + _build := testBuild() + // test repo is not trusted by default + _untrustedRepo := testRepo() + _user := testUser() + _metadata := testMetadata() + // to be matched with the image used by testdata/build/steps/basic.yml + _privilegedImagesStepsPipeline := []string{"alpine"} + // to be matched with the image used by testdata/build/services/basic.yml + _privilegedImagesServicesPipeline := []string{"postgres"} + // to be matched with the image used by testdata/build/stages/basic.yml + _privilegedImagesStagesPipeline := []string{"alpine"} + + // create trusted repo + _trustedRepo := testRepo() + _trustedRepo.SetTrusted(true) + + gin.SetMode(gin.TestMode) + + s := httptest.NewServer(server.FakeHandler()) + + _client, err := vela.NewClient(s.URL, "", nil) + if err != nil { + t.Errorf("unable to create Vela API client: %v", err) + } + + _runtime, err := docker.NewMock() + if err != nil { + t.Errorf("unable to create runtime engine: %v", err) + } + + tests := []struct { + name string + failure bool + build *library.Build + repo *library.Repo + pipeline string + privilegedImages []string + enforceTrustedRepos bool + }{ + { + name: "enforce trusted repos enabled: privileged steps pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: privileged steps pipeline with untrusted repo", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged steps pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged steps pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled: privileged steps pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: privileged steps pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged steps pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged steps pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + + { + name: "enforce trusted repos enabled: privileged services pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: privileged services pipeline with untrusted repo", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged services pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged services pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled: privileged services pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: privileged services pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged services pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged services pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos enabled: privileged stages pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: privileged stages pipeline with untrusted repo", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged stages pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged stages pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled: privileged stages pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: privileged stages pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged stages pipeline with trusted repo", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged stages pipeline with untrusted repo", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/basic.yml", + privilegedImages: []string{}, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos enabled: privileged steps pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: privileged steps pipeline with untrusted repo and init step name", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged steps pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged steps pipeline with untrusted repo and init step name", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled: privileged steps pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: privileged steps pipeline with untrusted repo and init step name", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged steps pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged steps pipeline with untrusted repo and init step name", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/steps/name_init.yml", + privilegedImages: _privilegedImagesStepsPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos enabled: privileged stages pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: privileged stages pipeline with untrusted repo and init step name", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged stages pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged stages pipeline with untrusted repo and init step name", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled: privileged stages pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: privileged stages pipeline with untrusted repo and init step name", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged stages pipeline with trusted repo and init step name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged stages pipeline with untrusted repo and init step name", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/stages/name_init.yml", + privilegedImages: _privilegedImagesStagesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos enabled: privileged services pipeline with trusted repo and init service name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: privileged services pipeline with untrusted repo and init service name", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged services pipeline with trusted repo and init service name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos enabled: non-privileged services pipeline with untrusted repo and init service name", + failure: true, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled: privileged services pipeline with trusted repo and init service name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: privileged services pipeline with untrusted repo and init service name", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged services pipeline with trusted repo and init service name", + failure: false, + build: _build, + repo: _trustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + { + name: "enforce trusted repos disabled: non-privileged services pipeline with untrusted repo and init service name", + failure: false, + build: _build, + repo: _untrustedRepo, + pipeline: "testdata/build/services/name_init.yml", + privilegedImages: _privilegedImagesServicesPipeline, // this matches the image from test.pipeline + enforceTrustedRepos: false, + }, + } + + // run test + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + _pipeline, _, err := compiler. + Duplicate(). + WithBuild(_build). + WithRepo(test.repo). + WithMetadata(_metadata). + WithUser(_user). + Compile(test.pipeline) + if err != nil { + t.Errorf("unable to compile pipeline %s: %v", test.pipeline, err) + } + + _engine, err := New( + WithBuild(test.build), + WithPipeline(_pipeline), + WithRepo(test.repo), + WithRuntime(_runtime), + WithUser(_user), + WithVelaClient(_client), + WithPrivilegedImages(test.privilegedImages), + WithEnforceTrustedRepos(test.enforceTrustedRepos), + ) + if err != nil { + t.Errorf("unable to create executor engine: %v", err) + } + + err = _engine.CreateBuild(context.Background()) + + if test.failure { + if err == nil { + t.Errorf("CreateBuild should have returned err") + } + + return // continue to next test + } + + if err != nil { + t.Errorf("CreateBuild returned err: %v", err) + } + }) + } +} + func TestLinux_PlanBuild(t *testing.T) { // setup types compiler, _ := native.New(cli.NewContext(nil, flag.NewFlagSet("test", 0), nil)) diff --git a/executor/linux/linux.go b/executor/linux/linux.go index d8650cdcd..a2346731a 100644 --- a/executor/linux/linux.go +++ b/executor/linux/linux.go @@ -31,17 +31,19 @@ type ( secret *secretSvc // private fields - init *pipeline.Container - logMethod string - maxLogSize uint - build *library.Build - pipeline *pipeline.Build - repo *library.Repo - secrets sync.Map - services sync.Map - serviceLogs sync.Map - steps sync.Map - stepLogs sync.Map + init *pipeline.Container + logMethod string + maxLogSize uint + privilegedImages []string + enforceTrustedRepos bool + build *library.Build + pipeline *pipeline.Build + repo *library.Repo + secrets sync.Map + services sync.Map + serviceLogs sync.Map + steps sync.Map + stepLogs sync.Map streamRequests chan message.StreamRequest @@ -70,6 +72,8 @@ func Equal(a, b *client) bool { reflect.DeepEqual(a.init, b.init) && a.logMethod == b.logMethod && a.maxLogSize == b.maxLogSize && + reflect.DeepEqual(a.privilegedImages, b.privilegedImages) && + a.enforceTrustedRepos == b.enforceTrustedRepos && reflect.DeepEqual(a.build, b.build) && reflect.DeepEqual(a.pipeline, b.pipeline) && reflect.DeepEqual(a.repo, b.repo) && diff --git a/executor/linux/opts.go b/executor/linux/opts.go index 4095a055d..a75d0a428 100644 --- a/executor/linux/opts.go +++ b/executor/linux/opts.go @@ -64,6 +64,30 @@ func WithMaxLogSize(size uint) Opt { } } +// WithPrivilegedImages sets the privileged images in the executor client for Linux. +func WithPrivilegedImages(images []string) Opt { + return func(c *client) error { + c.Logger.Trace("configuring privileged images in linux executor client") + + // set the privileged images in the client + c.privilegedImages = images + + return nil + } +} + +// WithEnforceTrustedRepos configures trusted repo restrictions in the executor client for Linux. +func WithEnforceTrustedRepos(enforce bool) Opt { + return func(c *client) error { + c.Logger.Trace("configuring trusted repo restrictions in linux executor client") + + // set trusted repo restrictions in the client + c.enforceTrustedRepos = enforce + + return nil + } +} + // WithHostname sets the hostname in the executor client for Linux. func WithHostname(hostname string) Opt { return func(c *client) error { diff --git a/executor/linux/opts_test.go b/executor/linux/opts_test.go index 5c26f44d5..f01c6b87d 100644 --- a/executor/linux/opts_test.go +++ b/executor/linux/opts_test.go @@ -161,6 +161,101 @@ func TestLinux_Opt_WithMaxLogSize(t *testing.T) { } } +func TestLinux_Opt_WithPrivilegedImages(t *testing.T) { + // setup tests + tests := []struct { + name string + failure bool + privilegedImages []string + }{ + { + name: "empty privileged images", + failure: false, + privilegedImages: []string{}, + }, + { + name: "with privileged image", + failure: false, + privilegedImages: []string{"target/vela-docker"}, + }, + { + name: "with privileged images", + failure: false, + privilegedImages: []string{"alpine", "target/vela-docker"}, + }, + } + + // run tests + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + _engine, err := New( + WithPrivilegedImages(test.privilegedImages), + ) + + if test.failure { + if err == nil { + t.Errorf("WithPrivilegedImages should have returned err") + } + + return // continue to next test + } + + if err != nil { + t.Errorf("WithPrivilegedImages returned err: %v", err) + } + + if !reflect.DeepEqual(_engine.privilegedImages, test.privilegedImages) { + t.Errorf("WithPrivilegedImages is %v, want %v", _engine.privilegedImages, test.privilegedImages) + } + }) + } +} + +func TestLinux_Opt_WithEnforceTrustedRepos(t *testing.T) { + // setup tests + tests := []struct { + name string + failure bool + enforceTrustedRepos bool + }{ + { + name: "enforce trusted repos enabled", + failure: false, + enforceTrustedRepos: true, + }, + { + name: "enforce trusted repos disabled", + failure: false, + enforceTrustedRepos: false, + }, + } + + // run tests + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + _engine, err := New( + WithEnforceTrustedRepos(test.enforceTrustedRepos), + ) + + if test.failure { + if err == nil { + t.Errorf("WithEnforceTrustedRepos should have returned err") + } + + return // continue to next test + } + + if err != nil { + t.Errorf("WithEnforceTrustedRepos returned err: %v", err) + } + + if !reflect.DeepEqual(_engine.enforceTrustedRepos, test.enforceTrustedRepos) { + t.Errorf("WithEnforceTrustedRepos is %v, want %v", _engine.enforceTrustedRepos, test.enforceTrustedRepos) + } + }) + } +} + func TestLinux_Opt_WithHostname(t *testing.T) { // setup tests tests := []struct { diff --git a/executor/linux/testdata/build/services/name_init.yml b/executor/linux/testdata/build/services/name_init.yml new file mode 100644 index 000000000..231fcde3f --- /dev/null +++ b/executor/linux/testdata/build/services/name_init.yml @@ -0,0 +1,17 @@ +--- +version: "1" +services: + - name: init + environment: + FOO: bar + image: postgres:latest + pull: true + +steps: + - name: test + commands: + - echo ${FOO} + environment: + FOO: bar + image: alpine:latest + pull: true \ No newline at end of file diff --git a/executor/linux/testdata/build/stages/name_init.yml b/executor/linux/testdata/build/stages/name_init.yml new file mode 100644 index 000000000..99624eca6 --- /dev/null +++ b/executor/linux/testdata/build/stages/name_init.yml @@ -0,0 +1,13 @@ +--- +version: "1" +stages: + test: + steps: + - name: init + commands: + - echo ${FOO} + environment: + FOO: bar + image: alpine:latest + pull: true + \ No newline at end of file diff --git a/executor/linux/testdata/build/steps/name_init.yml b/executor/linux/testdata/build/steps/name_init.yml new file mode 100644 index 000000000..1121055c0 --- /dev/null +++ b/executor/linux/testdata/build/steps/name_init.yml @@ -0,0 +1,11 @@ +--- +version: "1" +steps: + - name: init + commands: + - echo ${FOO} + environment: + FOO: bar + image: alpine:latest + pull: true + \ No newline at end of file diff --git a/executor/setup.go b/executor/setup.go index 3044aa371..2b07f7ae2 100644 --- a/executor/setup.go +++ b/executor/setup.go @@ -40,6 +40,10 @@ type Setup struct { LogMethod string // specifies the maximum log size MaxLogSize uint + // specifies a list of privileged images to use + PrivilegedImages []string + // configuration for enforcing that only trusted repos may run privileged images + EnforceTrustedRepos bool // specifies the executor hostname Hostname string // specifies the executor version @@ -81,6 +85,8 @@ func (s *Setup) Linux() (Engine, error) { linux.WithBuild(s.Build), linux.WithLogMethod(s.LogMethod), linux.WithMaxLogSize(s.MaxLogSize), + linux.WithPrivilegedImages(s.PrivilegedImages), + linux.WithEnforceTrustedRepos(s.EnforceTrustedRepos), linux.WithHostname(s.Hostname), linux.WithPipeline(s.Pipeline), linux.WithRepo(s.Repo), diff --git a/go.mod b/go.mod index 616fefca8..f4316e54e 100644 --- a/go.mod +++ b/go.mod @@ -5,23 +5,23 @@ go 1.19 require ( github.com/Masterminds/semver/v3 v3.1.1 github.com/docker/distribution v2.8.1+incompatible - github.com/docker/docker v20.10.18+incompatible + github.com/docker/docker v20.10.21+incompatible github.com/docker/go-units v0.5.0 github.com/gin-gonic/gin v1.8.1 - github.com/go-vela/sdk-go v0.15.1 - github.com/go-vela/server v0.15.1 - github.com/go-vela/types v0.15.1 + github.com/go-vela/sdk-go v0.16.1 + github.com/go-vela/server v0.16.1 + github.com/go-vela/types v0.16.1 github.com/google/go-cmp v0.5.9 github.com/joho/godotenv v1.4.0 github.com/opencontainers/image-spec v1.0.2 - github.com/prometheus/client_golang v1.13.0 + github.com/prometheus/client_golang v1.14.0 github.com/sirupsen/logrus v1.9.0 - github.com/urfave/cli/v2 v2.17.1 - golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 - gotest.tools/v3 v3.3.0 - k8s.io/api v0.25.2 - k8s.io/apimachinery v0.25.2 - k8s.io/client-go v0.25.2 + github.com/urfave/cli/v2 v2.23.5 + golang.org/x/sync v0.1.0 + gotest.tools/v3 v3.4.0 + k8s.io/api v0.25.3 + k8s.io/apimachinery v0.25.3 + k8s.io/client-go v0.25.3 sigs.k8s.io/yaml v1.3.0 ) @@ -32,7 +32,7 @@ require ( github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect - github.com/alicebob/miniredis/v2 v2.23.0 // indirect + github.com/alicebob/miniredis/v2 v2.23.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect @@ -86,7 +86,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pelletier/go-toml/v2 v2.0.1 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_model v0.2.0 // indirect + github.com/prometheus/client_model v0.3.0 // indirect github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -96,14 +96,14 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/ugorji/go/codec v1.2.7 // indirect github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect - github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect - go.starlark.net v0.0.0-20220928063852-5fccb4daaf6d // indirect + github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64 // indirect + go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 // indirect golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect - golang.org/x/net v0.0.0-20221002022538-bcab6841153b // indirect + golang.org/x/net v0.1.0 // indirect golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect - golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab // indirect - golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/sys v0.1.0 // indirect + golang.org/x/term v0.1.0 // indirect + golang.org/x/text v0.4.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect diff --git a/go.sum b/go.sum index f77c5f481..41bbe5dc1 100644 --- a/go.sum +++ b/go.sum @@ -60,8 +60,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk= github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= -github.com/alicebob/miniredis/v2 v2.23.0 h1:+lwAJYjvvdIVg6doFHuotFjueJ/7KY10xo/vm3X3Scw= -github.com/alicebob/miniredis/v2 v2.23.0/go.mod h1:XNqvJdQJv5mSuVMc0ynneafpnL/zv52acZ6kqeS0t88= +github.com/alicebob/miniredis/v2 v2.23.1 h1:jR6wZggBxwWygeXcdNyguCOCIjPsZyNUNlAkTx2fu0U= +github.com/alicebob/miniredis/v2 v2.23.1/go.mod h1:84TWKZlxYkfgMucPBf5SOQBYJceZeQRFIaQgNMiCX6Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -92,8 +92,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.18+incompatible h1:SN84VYXTBNGn92T/QwIRPlum9zfemfitN7pbsp26WSc= -github.com/docker/docker v20.10.18+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.21+incompatible h1:UTLdBmHk3bEY+w8qeO5KttOhy6OmXWsl/FEet9Uswog= +github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= @@ -153,12 +153,12 @@ github.com/go-playground/validator/v10 v10.10.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXS github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI= github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-vela/sdk-go v0.15.1 h1:DEH5DzamH3InTXeXE2iiKiiQhu/NILWna+zb+ceXEFA= -github.com/go-vela/sdk-go v0.15.1/go.mod h1:QjYqC1bbrDshUVaScUwtNgj3P/uqctdUHfD2agm6OCU= -github.com/go-vela/server v0.15.1 h1:7J9QfFXNVREhX4mILCWyqZE3o29a2oThEN2WeQ/wWF4= -github.com/go-vela/server v0.15.1/go.mod h1:k3p4ZhDKYKVO3rbkCAow3N/01f2Iel9KDR2yTaH90UI= -github.com/go-vela/types v0.15.1 h1:nQxfxoqxavuTYtvFJW4wK9UkkADN2VG6Z4ubvJ8PT1s= -github.com/go-vela/types v0.15.1/go.mod h1:6KoRkvXMw9DkAcLdtI7PxPqMlT2Bl0DiigQamLGGjwo= +github.com/go-vela/sdk-go v0.16.1 h1:TrexXFMRQVs5UQXL9NV0Urv+sRu7RElKyVo8qK/yGLY= +github.com/go-vela/sdk-go v0.16.1/go.mod h1:fm8xpL9t1pBLdB9cQDHn8jyuQX8IapYzexD/cbQwKoc= +github.com/go-vela/server v0.16.1 h1:1ihfbBha098noeM9dbBNSVqj8PLaNy+Sw9VBtc7tabY= +github.com/go-vela/server v0.16.1/go.mod h1:vqSBrSJWw/OpynddskXDS5GggmlYpisQXODEWsGXk6k= +github.com/go-vela/types v0.16.1 h1:PGtOQ0AQLAFJ23wi6ns5JF1y68v4VjA/NbZs5HYZmhY= +github.com/go-vela/types v0.16.1/go.mod h1:6KoRkvXMw9DkAcLdtI7PxPqMlT2Bl0DiigQamLGGjwo= github.com/goccy/go-json v0.9.7 h1:IcB+Aqpx/iMHu5Yooh7jEzJk1JZ7Pjtmys2ukPr7EeM= github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -345,13 +345,14 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= -github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= @@ -396,29 +397,29 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/ugorji/go v1.2.7/go.mod h1:nF9osbDWLy6bDVv/Rtoh6QgnvNDpmCalQV5urGCCS6M= github.com/ugorji/go/codec v1.2.7 h1:YPXUKf7fYbp/y8xloBqZOw2qaVggbfwMlI8WM3wZUJ0= github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY= -github.com/urfave/cli/v2 v2.17.1 h1:UzjDEw2dJQUE3iRaiNQ1VrVFbyAtKGH3VdkMoHA58V0= -github.com/urfave/cli/v2 v2.17.1/go.mod h1:1CNUng3PtjQMtRzJO4FMXBQvkGtuYRxxiR9xMa7jMwI= +github.com/urfave/cli/v2 v2.23.5 h1:xbrU7tAYviSpqeR3X4nEFWUdB/uDZ6DE+HxmRU7Xtyw= +github.com/urfave/cli/v2 v2.23.5/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc= github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU= github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 h1:k/gmLsJDWwWqbLCur2yWnJzwQEKRcAHXo6seXGuSwWw= -github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9/go.mod h1:E1AXubJBdNmFERAOucpDIxNzeGfLzg0mYh+UfMWdChA= +github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64 h1:5mLPGnFdSsevFRFc9q3yYbBkB6tsm4aCwwQV/j1JQAQ= +github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.starlark.net v0.0.0-20220928063852-5fccb4daaf6d h1:aF+anaRVZu22kdETjLavnIn/cvD+arhmik6vMU3joW4= -go.starlark.net v0.0.0-20220928063852-5fccb4daaf6d/go.mod h1:kIVgS18CjmEC3PqMd5kaJSGEifyV/CeB9x506ZJ1Vbk= +go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 h1:5/KzhcSqd4UgY51l17r7C5g/JiE6DRw1Vq7VJfQHuMc= +go.starlark.net v0.0.0-20221028183056-acb66ad56dd2/go.mod h1:kIVgS18CjmEC3PqMd5kaJSGEifyV/CeB9x506ZJ1Vbk= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -501,8 +502,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU= -golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -526,8 +527,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 h1:cu5kTvlzcw1Q5S9f5ip1/cpiB4nXvw1XYzFPGgzLUOY= -golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -579,12 +580,13 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab h1:2QkjZIsXupsJbJIdSjjUOgWK3aEtzyuh2mPt3l/CkeU= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 h1:CBpWXWQpIRjzmkkA+M7q9Fqnwd2mZr3AFqexg8YTfoM= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -592,8 +594,9 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -773,8 +776,8 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= -gotest.tools/v3 v3.3.0 h1:MfDY1b1/0xN1CyMlQDac0ziEy9zJQd9CXBRRDHw2jJo= -gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -782,12 +785,12 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.2 h1:v6G8RyFcwf0HR5jQGIAYlvtRNrxMJQG1xJzaSeVnIS8= -k8s.io/api v0.25.2/go.mod h1:qP1Rn4sCVFwx/xIhe+we2cwBLTXNcheRyYXwajonhy0= -k8s.io/apimachinery v0.25.2 h1:WbxfAjCx+AeN8Ilp9joWnyJ6xu9OMeS/fsfjK/5zaQs= -k8s.io/apimachinery v0.25.2/go.mod h1:hqqA1X0bsgsxI6dXsJ4HnNTBOmJNxyPp8dw3u2fSHwA= -k8s.io/client-go v0.25.2 h1:SUPp9p5CwM0yXGQrwYurw9LWz+YtMwhWd0GqOsSiefo= -k8s.io/client-go v0.25.2/go.mod h1:i7cNU7N+yGQmJkewcRD2+Vuj4iz7b30kI8OcL3horQ4= +k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= +k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= +k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= +k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= +k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= diff --git a/runtime/flags.go b/runtime/flags.go index 2e01350b8..cbf87de3c 100644 --- a/runtime/flags.go +++ b/runtime/flags.go @@ -53,7 +53,6 @@ var Flags = []cli.Flag{ FilePath: "/vela/runtime/privileged_images", Name: "runtime.privileged-images", Usage: "list of images allowed to run in privileged mode for the runtime", - Value: cli.NewStringSlice("target/vela-docker"), }, &cli.StringSliceFlag{ EnvVars: []string{"VELA_RUNTIME_VOLUMES", "RUNTIME_VOLUMES"},