Merge pull request #465 from stefanprodan/release-6.11.1

Release 6.11.1

.github/workflows/release.yml

@@ -19,8 +19,6 @@ jobs:
       - uses: actions/checkout@v6
       - uses: ./.github/actions/runner-cleanup
       - uses: sigstore/cosign-installer@v4.0.0
-        with:
-          cosign-release: v2.6.1
       - uses: fluxcd/flux2/action@v2.8.1
       - uses: stefanprodan/timoni/actions/setup@v0.26.0
       - name: Setup Notation CLI
@@ -44,20 +42,20 @@ jobs:
         with:
           version: v4.1.1
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
         with:
           platforms: all
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -73,7 +71,7 @@ jobs:
           echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
       - name: Generate images meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             docker.io/stefanprodan/podinfo
@@ -82,7 +80,7 @@ jobs:
             type=raw,value=${{ steps.prep.outputs.VERSION }}
             type=raw,value=latest
       - name: Publish multi-arch image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           sbom: true
           provenance: true
@@ -125,7 +123,7 @@ jobs:
           cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
           cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
       - name: Publish base image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}

charts/podinfo/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 6.10.2
-appVersion: 6.10.2
+version: 6.11.1
+appVersion: 6.11.1
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes

charts/podinfo/templates/grpcroute.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.grpcRoute.enabled -}}
+{{- $fullName := include "podinfo.fullname" . -}}
+{{- $grpcPort := .Values.service.grpcPort -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: GRPCRoute
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.grpcRoute.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.grpcRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- with .Values.grpcRoute.parentRefs }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.grpcRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.grpcRoute.rules }}
+    - backendRefs:
+        - name: {{ $fullName }}
+          port: {{ $grpcPort }}
+          weight: 1
+    {{- with .matches }}
+      matches:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .filters }}
+      filters:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- end }}
+{{- end }}

charts/podinfo/values-prod.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.10.2
+  tag: 6.11.1
   pullPolicy: IfNotPresent
 
 ui:

charts/podinfo/values.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.10.2
+  tag: 6.11.1
   pullPolicy: IfNotPresent
   pullSecrets: []
 
@@ -232,6 +232,28 @@ httpRoute:
             type: PathPrefix
             value: /
 
+# -- Expose the gRPC service via Gateway GRPCRoute
+# Requires a Gateway controller with GRPCRoute support
+# Docs https://gateway-api.sigs.k8s.io/guides/grpc-routing/
+grpcRoute:
+  # GRPCRoute enabled.
+  enabled: false
+  # Add additional labels to the GRPCRoute.
+  additionalLabels: {}
+  # GRPCRoute annotations.
+  annotations: {}
+  # Which Gateways this Route is attached to.
+  parentRefs:
+    - name: gateway
+      sectionName: http
+      # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+    - podinfo.local
+  # List of rules applied.
+  rules:
+    - {}
+
 # create Prometheus Operator monitor
 serviceMonitor:
   enabled: false

cmd/podcli/check.go

@@ -12,10 +12,13 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gorilla/websocket"
 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/status"
 )
@@ -27,6 +30,7 @@ var (
 	body            string
 	timeout         time.Duration
 	grpcServiceName string
+	grpcTLS         bool
 )
 
 var checkCmd = &cobra.Command{
@@ -63,6 +67,13 @@ var checkgRPCCmd = &cobra.Command{
 	RunE:    runCheckgPRC,
 }
 
+var checkWsCmd = &cobra.Command{
+	Use:     `ws [address]`,
+	Short:   "WebSocket round-trip health check",
+	Example: `  check ws ws://localhost:9898/ws/echo --retry=1 --delay=2s --timeout=5s`,
+	RunE:    runCheckWs,
+}
+
 func init() {
 	checkUrlCmd.Flags().StringVar(&method, "method", "GET", "HTTP method")
 	checkUrlCmd.Flags().StringVar(&body, "body", "", "HTTP POST/PUT content")
@@ -80,10 +91,16 @@ func init() {
 	checkgRPCCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
 	checkgRPCCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
 	checkgRPCCmd.Flags().StringVar(&grpcServiceName, "service", "", "gRPC service name")
+	checkgRPCCmd.Flags().BoolVar(&grpcTLS, "tls", false, "use TLS for gRPC connection")
 	checkCmd.AddCommand(checkgRPCCmd)
 
 	checkCmd.AddCommand(checkCertCmd)
 
+	checkWsCmd.Flags().IntVar(&retryCount, "retry", 0, "times to retry the WebSocket check")
+	checkWsCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
+	checkWsCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
+	checkCmd.AddCommand(checkWsCmd)
+
 	rootCmd.AddCommand(checkCmd)
 }
 
@@ -262,6 +279,72 @@ func fmtContentLength(b int64) string {
 	return fmt.Sprintf("%.1f %cB", float64(b)/float64(div), "kMGTPE"[exp])
 }
 
+func runCheckWs(cmd *cobra.Command, args []string) error {
+	if retryCount < 0 {
+		return fmt.Errorf("--retry is required")
+	}
+	if len(args) < 1 {
+		return fmt.Errorf("address is required! example: check ws wss://localhost:9898/ws/echo")
+	}
+
+	address := args[0]
+	if !strings.HasPrefix(address, "ws://") && !strings.HasPrefix(address, "wss://") {
+		return fmt.Errorf("address must start with ws:// or wss://")
+	}
+
+	for n := 0; n <= retryCount; n++ {
+		if n != 0 {
+			time.Sleep(retryDelay)
+		}
+
+		dialer := websocket.Dialer{
+			HandshakeTimeout: timeout,
+		}
+
+		conn, _, err := dialer.Dial(address, nil)
+		if err != nil {
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+
+		msg := "podinfo-check"
+		start := time.Now()
+
+		conn.SetWriteDeadline(start.Add(timeout))
+		if err := conn.WriteMessage(websocket.TextMessage, []byte(msg)); err != nil {
+			conn.Close()
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+
+		conn.SetReadDeadline(time.Now().Add(timeout))
+		_, resp, err := conn.ReadMessage()
+		if err != nil {
+			conn.Close()
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+
+		rtt := time.Since(start)
+		conn.Close()
+
+		logger.Info("check succeed",
+			zap.String("address", address),
+			zap.Duration("round-trip", rtt),
+			zap.Int("response size", len(resp)))
+		os.Exit(0)
+	}
+
+	os.Exit(1)
+	return nil
+}
+
 func runCheckgPRC(cmd *cobra.Command, args []string) error {
 	if retryCount < 0 {
 		return fmt.Errorf("--retry is required")
@@ -271,12 +354,19 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 	}
 	address := args[0]
 
+	var creds grpc.DialOption
+	if grpcTLS {
+		creds = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+	} else {
+		creds = grpc.WithTransportCredentials(insecure.NewCredentials())
+	}
+
 	for n := 0; n <= retryCount; n++ {
-		if n != 1 {
+		if n != 0 {
 			time.Sleep(retryDelay)
 		}
 
-		conn, err := grpc.Dial(address, grpc.WithInsecure())
+		conn, err := grpc.NewClient(address, creds)
 		if err != nil {
 			logger.Info("check failed",
 				zap.String("address", address),
@@ -291,13 +381,14 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 
 		if err != nil {
 			if stat, ok := status.FromError(err); ok && stat.Code() == codes.Unimplemented {
-				logger.Info("gPRC health protocol not implemented")
+				logger.Info("gRPC health protocol not implemented")
 				os.Exit(1)
 			} else {
 				logger.Info("check failed",
 					zap.String("address", address),
 					zap.Error(err))
 			}
+			conn.Close()
 			continue
 		}
 
@@ -305,7 +396,6 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 		logger.Info("check succeed",
 			zap.String("status", resp.GetStatus().String()))
 		os.Exit(0)
-
 	}
 
 	os.Exit(1)

deploy/bases/backend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/bases/database/cronjob-backup-daily.yaml

@@ -23,7 +23,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: backup
-            image: ghcr.io/stefanprodan/podinfo:6.10.2
+            image: ghcr.io/stefanprodan/podinfo:6.11.1
             imagePullPolicy: IfNotPresent
             command:
             - /bin/sh

deploy/bases/database/cronjob-rollup-daily.yaml

@@ -23,7 +23,7 @@ spec:
           restartPolicy: OnFailure
           containers:
           - name: healthcheck
-            image: ghcr.io/stefanprodan/podinfo:6.10.2
+            image: ghcr.io/stefanprodan/podinfo:6.11.1
             imagePullPolicy: IfNotPresent
             command:
             - /bin/sh

deploy/bases/database/cronjob-rollup-weekly.yaml

@@ -23,7 +23,7 @@ spec:
           restartPolicy: OnFailure
           containers:
           - name: healthcheck
-            image: ghcr.io/stefanprodan/podinfo:6.10.2
+            image: ghcr.io/stefanprodan/podinfo:6.11.1
             imagePullPolicy: IfNotPresent
             command:
             - /bin/sh

deploy/bases/database/deployment-replica.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: database
       containers:
       - name: database
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: db

deploy/bases/database/statefulset-primary.yaml

@@ -22,7 +22,7 @@ spec:
       serviceAccountName: database
       containers:
       - name: database
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: db

deploy/bases/frontend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/backend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/frontend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

kustomize/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: podinfod
-        image: ghcr.io/stefanprodan/podinfo:6.10.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

pkg/api/http/store.go

@@ -7,11 +7,14 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"regexp"
 
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
 )
 
+var validHash = regexp.MustCompile(`^[a-f0-9]{40}$`)
+
 // Store godoc
 // @Summary Upload file
 // @Description writes the posted content to disk at /data/hash and returns the SHA1 hash of the content
@@ -54,12 +57,19 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
 	defer span.End()
 
 	hash := mux.Vars(r)["hash"]
+	if !validHash.MatchString(hash) {
+		s.ErrorResponse(w, r, span, "invalid hash", http.StatusBadRequest)
+		return
+	}
 	content, err := os.ReadFile(path.Join(s.config.DataPath, hash))
 	if err != nil {
 		s.logger.Warn("reading file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
 		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
 		return
 	}
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'")
 	w.WriteHeader(http.StatusAccepted)
 	w.Write([]byte(content))
 }

pkg/api/http/store_test.go

@@ -0,0 +1,82 @@
+package http
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/gorilla/mux"
+)
+
+func TestStoreReadHandler_ContentType(t *testing.T) {
+	dataDir := t.TempDir()
+	srv := NewMockServer()
+	srv.config.DataPath = dataDir
+
+	// Write an HTML payload to the store.
+	writeReq, err := http.NewRequest("POST", "/store", strings.NewReader("<html><script>alert(1)</script></html>"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	writeRR := httptest.NewRecorder()
+	http.HandlerFunc(srv.storeWriteHandler).ServeHTTP(writeRR, writeReq)
+
+	if writeRR.Code != http.StatusAccepted {
+		t.Fatalf("store write returned status %d, want %d", writeRR.Code, http.StatusAccepted)
+	}
+
+	// Read it back and verify Content-Type is application/octet-stream, not text/html.
+	hash := hash("<html><script>alert(1)</script></html>")
+	readReq, err := http.NewRequest("GET", "/store/"+hash, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	readReq = mux.SetURLVars(readReq, map[string]string{"hash": hash})
+
+	readRR := httptest.NewRecorder()
+	http.HandlerFunc(srv.storeReadHandler).ServeHTTP(readRR, readReq)
+
+	if readRR.Code != http.StatusAccepted {
+		t.Fatalf("store read returned status %d, want %d", readRR.Code, http.StatusAccepted)
+	}
+
+	expectedHeaders := map[string]string{
+		"Content-Type":            "application/octet-stream",
+		"X-Content-Type-Options":  "nosniff",
+		"Content-Security-Policy": "default-src 'none'",
+	}
+	for header, want := range expectedHeaders {
+		if got := readRR.Header().Get(header); got != want {
+			t.Errorf("%s = %q, want %q", header, got, want)
+		}
+	}
+}
+
+func TestStoreReadHandler_PathTraversal(t *testing.T) {
+	srv := NewMockServer()
+	srv.config.DataPath = t.TempDir()
+
+	traversalPaths := []string{
+		"../../../../etc/passwd",
+		"../../../etc/shadow",
+		"..%2f..%2f..%2fetc%2fpasswd",
+		"abc123",
+		"zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzg", // 40 chars but not hex
+	}
+
+	for _, tp := range traversalPaths {
+		req, err := http.NewRequest("GET", "/store/"+tp, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		req = mux.SetURLVars(req, map[string]string{"hash": tp})
+
+		rr := httptest.NewRecorder()
+		http.HandlerFunc(srv.storeReadHandler).ServeHTTP(rr, req)
+
+		if !strings.Contains(rr.Body.String(), "invalid hash") {
+			t.Errorf("path %q: expected 'invalid hash' error, got %q", tp, rr.Body.String())
+		}
+	}
+}

pkg/version/version.go

@@ -1,4 +1,4 @@
 package version
 
-var VERSION = "6.10.2"
+var VERSION = "6.11.1"
 var REVISION = "unknown"

timoni/podinfo/values.cue

@@ -9,7 +9,7 @@ package main
 values: {
 	image: {
 		repository: "ghcr.io/stefanprodan/podinfo"
-		tag:        "6.10.2"
+		tag:        "6.11.1"
 		digest:     ""
 	}
 	test: image: {