Merge pull request #307 from fluxcd/release-v0.20.0

Release v0.20.0

Author: stefanprodan

CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## 0.20.0
+
+**Release date:** 2022-02-01
+
+This prerelease comes with support for referencing `GitRepositories` from another namespace
+using the `spec.sourceRef.namespace` field in `ImageUpdateAutomations`.
+
+Platform admins can disable cross-namespace references with the
+`--no-cross-namespace-refs=true` flag. When this flag is set,
+automations can only refer to Git repositories in the same namespace
+as the automation object, preventing tenants from accessing another tenant's repositories.
+
+The controller is now statically built and includes libgit2 along with
+its main dependencies. The base image used to build and
+run the controller, was changed from Debian Unstable (Sid) to Alpine 3.15.
+
+The controller container images are signed with
+[Cosign and GitHub OIDC](https://github.com/sigstore/cosign/blob/22007e56aee419ae361c9f021869a30e9ae7be03/KEYLESS.md),
+and a Software Bill of Materials in [SPDX format](https://spdx.dev) has been published on the release page.
+
+Starting with this version, the controller deployment conforms to the
+Kubernetes [restricted pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted):
+- all Linux capabilities were dropped
+- the root filesystem was set to read-only
+- the seccomp profile was set to the runtime default
+- run as non-root was enabled
+- the user and group ID was set to 65534
+
+**Breaking changes**:
+- The use of new seccomp API requires Kubernetes 1.19.
+- The controller container is now executed under 65534:65534 (userid:groupid).
+  This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
+
+Features:
+- Add support for cross-namespace sourceRef in ImageUpdateAutomation
+  [#299](https://github.com/fluxcd/image-automation-controller/pull/299)
+- Allow disabling cross-namespace references
+  [#305](https://github.com/fluxcd/image-automation-controller/pull/305)
+
+Improvements:
+- Publish SBOM and sign release artifacts
+  [#302](https://github.com/fluxcd/image-automation-controller/pull/302)
+- Drop capabilities, enable seccomp and enforce runAsNonRoot
+  [#295](https://github.com/fluxcd/image-automation-controller/pull/295)
+- Statically build using musl toolchain and target alpine
+  [#303](https://github.com/fluxcd/image-automation-controller/pull/303)
+
 ## 0.19.0
 
 **Release date:** 2022-01-07

Makefile

@@ -21,11 +21,11 @@ CACHE := cache
 
 # Version of the source-controller from which to get the GitRepository CRD.
 # Change this if you bump the source-controller/api version in go.mod.
-SOURCE_VER ?= v0.21.0
+SOURCE_VER ?= v0.21.1
 
 # Version of the image-reflector-controller from which to get the ImagePolicy CRD.
 # Change this if you bump the image-reflector-controller/api version in go.mod.
-REFLECTOR_VER ?= v0.15.0
+REFLECTOR_VER ?= v0.16.0
 
 # Repository root based on Git metadata.
 REPOSITORY_ROOT := $(shell git rev-parse --show-toplevel)

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
 - name: fluxcd/image-automation-controller
   newName: fluxcd/image-automation-controller
-  newTag: v0.19.0
+  newTag: v0.20.0

go.mod

@@ -8,9 +8,10 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7
 	github.com/cyphar/filepath-securejoin v0.2.2
-	github.com/fluxcd/image-automation-controller/api v0.19.0
+	github.com/fluxcd/image-automation-controller/api v0.20.0
 	// If you bump this, change REFLECTOR_VER in the Makefile to match
-	github.com/fluxcd/image-reflector-controller/api v0.15.0
+	github.com/fluxcd/image-reflector-controller/api v0.16.0
+	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/meta v0.10.2
 	github.com/fluxcd/pkg/gittestserver v0.5.0
 	github.com/fluxcd/pkg/runtime v0.12.4
@@ -49,7 +50,6 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/fluxcd/pkg/apis/acl v0.0.3 // indirect
 	github.com/fluxcd/pkg/gitutil v0.1.0 // indirect
 	github.com/fluxcd/pkg/version v0.1.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect

go.sum

@@ -354,8 +354,8 @@ github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZM
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fluxcd/image-reflector-controller/api v0.15.0 h1:2XUKXLhWjbS7X8k1Ur/LJaIv2C8kbpErB46yw4Xmf4U=
-github.com/fluxcd/image-reflector-controller/api v0.15.0/go.mod h1:SPUqO4kodOglDFpZ+GhW/XBhKo71mWIqFRc+oT0jCfc=
+github.com/fluxcd/image-reflector-controller/api v0.16.0 h1:1O1YdoK7LsJgWLyvfZTSbvQcUQCBcgJ573HA0arlQQY=
+github.com/fluxcd/image-reflector-controller/api v0.16.0/go.mod h1:OIe3mSXc3OwQiNbiQ9vNXWYtNif31hc7WAbZWlFUUnc=
 github.com/fluxcd/pkg/apis/acl v0.0.3 h1:Lw0ZHdpnO4G7Zy9KjrzwwBmDZQuy4qEjaU/RvA6k1lc=
 github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU=
 github.com/fluxcd/pkg/apis/meta v0.10.2 h1:pnDBBEvfs4HaKiVAYgz+e/AQ8dLvcgmVfSeBroZ/KKI=