Current busybox version is with CVE-2021-28831.

Could you please help to upgrade to the latest version?

Please take care of the Vulnerabilities in image jimmidyson/configmap-reload:v0.7.1
�[1mScan results for: image jimmidyson/configmap-reload:v0.7.1 sha256:db09e1c4a336e6a36a43b8910f8cc474a36ee05a5237ac296362df43bc246df7�[0m
�[1mVulnerabilities�[0m
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+
| �[1m CVE �[0m | �[1mSEVERITY�[0m | �[1mCVSS�[0m | �[1mPACKAGE�[0m | �[1mVERSION�[0m | �[1m STATUS �[0m | �[1mPUBLISHED�[0m | �[1mDISCOVERED�[0m | �[1m DESCRIPTION �[0m |
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+
| �[0mCVE-2022-23806�[0m | �[31;1mcritical�[0m | �[0m9.10�[0m | �[0mgo�[0m | �[0m1.17.6�[0m | �[0mfixed in 1.17.7, 1.16.14�[0m | �[0m49 days�[0m | �[0m< 1 hour�[0m | �[0mCurve.IsOnCurve in crypto/elliptic in Go before�[0m |
| | | | | | 49 days ago | | | 1.16.14 and 1.17.x before 1.17.7 can incorrectly |
| | | | | | | | | return true in situations with a big.Int value |
| | | | | | | | | that i... |
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+
| �[0mCVE-2022-27191�[0m | �[91;1mhigh�[0m | �[0m7.50�[0m | �[0mgo�[0m | �[0m1.17.6�[0m | �[0mfixed in 0.0.0�[0m | �[0m14 days�[0m | �[0m< 1 hour�[0m | �[0mgolang.org/x/crypto/ssh before�[0m |
| | | | | | 14 days ago | | | 0.0.0-20220314234659-1baeb1ce4c0b in Go through |
| | | | | | | | | 1.16.15 and 1.17.x through 1.17.8 allows an |
| | | | | | | | | attacker to crash a server ... |
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+
| �[0mCVE-2022-24921�[0m | �[91;1mhigh�[0m | �[0m7.50�[0m | �[0mgo�[0m | �[0m1.17.6�[0m | �[0mfixed in 1.17.8, 1.16.15�[0m | �[0m27 days�[0m | �[0m< 1 hour�[0m | �[0mregexp.Compile in Go before 1.16.15 and 1.17.x�[0m |
| | | | | | 27 days ago | | | before 1.17.8 allows stack exhaustion via a deeply |
| | | | | | | | | nested expression. |
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+
| �[0mCVE-2022-23773�[0m | �[91;1mhigh�[0m | �[0m7.50�[0m | �[0mgo�[0m | �[0m1.17.6�[0m | �[0mfixed in 1.17.7, 1.16.14�[0m | �[0m49 days�[0m | �[0m< 1 hour�[0m | �[0mcmd/go in Go before 1.16.14 and 1.17.x before�[0m |
| | | | | | 49 days ago | | | 1.17.7 can misinterpret branch names that falsely |
| | | | | | | | | appear to be version tags. This can lead to |
| | | | | | | | | incorrect ... |
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+
| �[0mCVE-2022-23772�[0m | �[91;1mhigh�[0m | �[0m7.50�[0m | �[0mgo�[0m | �[0m1.17.6�[0m | �[0mfixed in 1.17.7, 1.16.14�[0m | �[0m49 days�[0m | �[0m< 1 hour�[0m | �[0mRat.SetString in math/big in Go before 1.16.14 and�[0m |
| | | | | | 49 days ago | | | 1.17.x before 1.17.7 has an overflow that can lead |
| | | | | | | | | to Uncontrolled Memory Consumption. |
+----------------+----------+------+---------+---------+--------------------------+-----------+------------+----------------------------------------------------+

�[1mVulnerabilities found for image jimmidyson/configmap-reload:v0.7.1: total - 5, critical - 1, high - 4, medium - 0, low - 0�[0m
�[1mVulnerability threshold check results: PASS�[0m

�[1mCompliance found for image jimmidyson/configmap-reload:v0.7.1: total - 0, critical - 0, high - 0, medium - 0, low - 0�[0m
�[1mCompliance threshold check results: PASS�[0m

https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/
this feature is available from k8s 1.17
when could reloader send signals to processes?

as its more a case of controlling pods using configmaps?

Docker with the newly introduced pull rate limitting can be annoying. It would be awesome if the configmap-reload project would also publish its images on quay or Github's registry :-)

Hi, dependabot PR 774d72d fixed a CVE in google.golang.org/protobuf. Could you bump the release tags to include this change?

Proposal

Use case. Why is this important?
Docker Content Trust allows us to verify if the images downloaded are indeed the images that jimmidyson/configmap-reload published. Security measures can be setup to only download signed images.

Is there any particular reason why signed images haven't been added, or is it simply a feature which hasn't been looked into yet?

https://docs.docker.com/engine/security/trust/content_trust/

configmap-reload container showing following logs when configmap is updated:

2021/10/26 18:13:56 Watching directory: "/etc/config"
2021/10/26 18:50:08 config map updated
2021/10/26 18:50:08 performing webhook request (1/1)
2021/10/26 18:50:08 error: Received response code 405 , expected 200
2021/10/26 18:50:18 error: Webhook reload retries exhausted

however curl from inside configmap-reload container to same webhook gets expected 200 response and prometheus configuration reloads successfully

./curl-amd64 -vvvvvv -X POST http://127.0.0.1:9090/prometheus/-/reload
Trying 127.0.0.1:9090...
Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
POST /prometheus/-/reload HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: curl/7.79.1
Accept: /

Mark bundle as not supporting multiuse
HTTP/1.1 200 OK
Date: Wed, 27 Oct 2021 15:14:31 GMT
Content-Length: 0

Connection #0 to host 127.0.0.1 left intact

Hi,

Want to check if there is a docker image for configmap-reload which is a official docker image? I could not find one under dockerhub official images https://hub.docker.com/explore/

If not, want to check if there is any plan to add an official configmap-reload image to dockerhub? https://docs.docker.com/docker-hub/official_repos/#how-do-i-create-a-new-official-repository,

Also want to check if it makes sense to make configmap-reload an official image based on the subjective considerations from the link

would love to include it OOTB with fabric8 - and use it for fabric8 to auto-update itself (e.g. am looking at you gogs) when env vars change that are mounted from ConfigMap

Is your feature request related to a problem? Please describe.

Dockerhub rate limits

Describe the solution you'd like

Push docker image to an additional registry like Quay or GHCR

Currently the code will just report failure if the request to to the webhook-url fails. If would be quite nice if the could setup some extra configs to retry if the request fails.

2020/07/17 06:19:02 Watching directory: "/etc/prometheus/rules/prometheus-k8s-rulefiles-0"
2020/07/17 06:21:26 config map updated
2020/07/17 06:21:26 performing webhook request (1/1)
2020/07/17 06:21:26 error: Post "http://localhost:9090/-/reload": dial tcp 120.240.95.33:9090: connect: connection refused
2020/07/17 06:21:36 error: Webhook reload retries exhausted

[root@p47659v reload]# kubectl logs reload-pod -n lc
2020/11/20 06:40:04 Watching directory: "/tmp/conf"
2020/11/20 06:41:25 config map updated
2020/11/20 06:41:25 performing webhook request (1/1)
2020/11/20 06:41:25 successfully triggered reload

Before modification
[root@p47659v reload]# kubectl get cm my-nginx-test -o yaml
apiVersion: v1
data:
my-nginx.conf: |
server{
listen 80;
server_name www.my-test-nginx.com;
gzip on;
gzip_types text/plain application/xml;

location / {
  root /usr/share/nginx/html;
  index index.html index.htm;
}
}

kind: ConfigMap
metadata:
creationTimestamp: "2020-11-20T03:11:35Z"
name: my-nginx-test
namespace: default
resourceVersion: "3369946"
selfLink: /api/v1/namespaces/default/configmaps/my-nginx-test
uid: 968990d6-d9aa-4fb5-b249-d549fd8c0770

After modification
[root@p47659v reload]# kubectl get cm my-nginx-test -o yaml
apiVersion: v1
data:
my-nginx.conf: |
server{
listen 80;
server_name www.my-test-nginx.com;
gzip on;
gzip_types text/plain application/xml;

location /hello {
  root /usr/share/nginx/html;
  index index.html index.htm;
}
}

kind: ConfigMap
metadata:
creationTimestamp: "2020-11-20T03:11:35Z"
name: my-nginx-test
namespace: default
resourceVersion: "3369946"
selfLink: /api/v1/namespaces/default/configmaps/my-nginx-test
uid: 968990d6-d9aa-4fb5-b249-d549fd8c0770

[root@p47659v reload]# kubectl get svc -n lc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-test-nginx ClusterIP 10.103.133.112 80/TCP 3h23m

curl 10.103.133.112/hello

404 Not Found

Here's mine reload.yaml

apiVersion: v1
kind: Pod
metadata:
name: reload-pod
namespace: lc
spec:
containers:

• name: reload-container
  image: jimmidyson/configmap-reload
  volumeMounts:
  • name: config
    mountPath: /tmp/conf
    command: ["./configmap-reload","-volume-dir=/tmp/conf","-webhook-method=GET","-webhook-status-code=200","-webhook-url=http://my-test-nginx.lc"]
    volumes:
• name: config
  configMap:
  name: my-nginx-test

go version 1.19 has lots of Vulnerability, I did a recent scan on the version version 0.8.0 I see all the Vulnerability are related to food version 1.19. all the Vulnerability can be fixed by updating the go version to 1.20.3

Hi
I was trying to use this awesome project with plain docker (docker compose, actually) and I couldn't do it. Peeking the code I saw this conditional https://github.com/jimmidyson/configmap-reload/blob/master/configmap-reload.go#L166. Could we get rid of it? I understand that is done because k8s mount it's volumes with that notation, but It would be very useful to use this outside k8s.

Hello, is it supposed to work with HostPath mount from node? because it does not seem to work.

Will not work if volume-dir argument is a file instead of directory. this is probably more of a feature request than a bug

Cannot reload if we hit an https: reload endpoint, since ca-certificates is not installed.
(how would one install on scratch container, though?)

Hi,

I have very limited knowledge about GO, so I might be completely off, so please bear with me if that is the case...

It seems that this projects depends on very old version of "golang.org/x/sys". When building the version listed in go.mod is v0.0.0-20150901164945-9c60d1c508f5, which is about 4 years old.

We would like to use the configmap-reload (through prometheus-operator helm chart), but my company has very strict policies when old versions of (four-party) software would be used. Could you please update the dependency to a more recent one?

Hello,I meet a question: I use the command :kubectl edit cm xxx, then use the Vi to modify the file, after edit ,how to use this sidecar to update the configmaps ?

Usage of ./out/configmap-reload:

-volume-dir value

the config map volume directory to watch for updates; may be used multiple times

I can not understand the usage ,could you help me give us a specific example?

Thanks a lot and have a nice day .
All wishes:)

We scan image for vulnerabilities with twistlock scan and found below vulnerabilities:

Packages: go
Package Version :1.15.7
Fix Status: fixed in 1.16.7, 1.15.15
Risk Factors:
Attack vector: network, Has fix, Medium severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Has fix, High severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Medium severity, Recent vulnerability
Attack vector: network, DoS, Has fix, Medium severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Has fix, Medium severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Has fix, High severity, Recent vulnerability
Attack complexity: low, Attack vector: network, DoS, High severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Has fix, High severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Has fix, High severity, Recent vulnerability
Attack complexity: low, Attack vector: network, Has fix, High severity, Recent vulnerability

Can I know when you are planning to bring patched imaged or Can you work to fix these. I have also attached full twistlock scan report for more details of above vulnerabilities
jimmidyson twistlock scan report.xlsx
.
Thanks and appreciated

I mounted multiple ConfigMaps to different directories, and then used configmap-reload to listen to the parent directory. When I update the configmap, configmap-reload cann't found it changes. Do you not support the sub-directory under the directory?How do I listen to multiple directories?

Thanks for this nice tool!

There are some vulnerabilities discovered in busybox 1.33.0.
An update of the busybox image from 1.33.0 to 1.35.0 fixes some critical and high vulnerabilities.

Thanks

Hi,
I"m trying to build the binary for s390x platform. Getting the below error:
root@platcon3:~/go/src/github.com/img-configmap-reload# ./build.sh
~/go/src/github.com/img-configmap-reload/configmap-reload ~/go/src/github.com/img-configmap-reload

command -v dep >/dev/null 2>&1 || go get github.com/golang/dep/cmd/dep
if [ ! -e /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson ]; then mkdir -p /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson && ln -s -f /root/go/src/github.com/img-configmap-reload/configmap-reload /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson; fi
cd /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson/configmap-reload && dep ensure -v
Warning: the following project(s) have [[constraint]] stanzas in Gopkg.toml:

â gopkg.in/fsnotify.v1

However, these projects are not direct dependencies of the current project:
they are not imported in any .go files, nor are they in the 'required' list in
Gopkg.toml. Dep only applies [[constraint]] rules to direct dependencies, so
these rules will have no effect.

Either import/require packages from these projects so that they become direct
dependencies, or convert each [[constraint]] to an [[override]] to enforce rules
on these projects, if they happen to be transitive dependencies.

Gopkg.lock is out of sync with Gopkg.toml and project imports:

gopkg.in/fsnotify/fsnotify.v1: imported or required, but missing from Gopkg.lock's input-imports

Root project is "github.com/jimmidyson/configmap-reload"
1 transitively valid internal packages
1 external packages imported from 1 projects
(0) â select (root)
(1) ? attempt gopkg.in/fsnotify/fsnotify.v1 with 1 pkgs; at least 1 versions to try
(1) try gopkg.in/fsnotify/[email protected]
(1) â select gopkg.in/fsnotify/[email protected] w/1 pkgs
(2) ? attempt golang.org/x/sys with 1 pkgs; at least 1 versions to try
(2) try golang.org/x/sys@9c60d1c508f5134d1ca726b4641db998f2523357
(2) â select golang.org/x/sys@9c60d1c508f5134d1ca726b4641db998f2523357 w/1 pkgs
â found solution with 2 packages from 2 projects

Solver wall times by segment:
b-deduce-proj-root: 4.093326944s
b-source-exists: 3.384806711s
b-list-pkgs: 224.683871ms
b-gmal: 126.299402ms
select-atom: 574.382µs
new-atom: 469.543µs
satisfy: 308.879µs
select-root: 63.467µs
other: 30.708µs

TOTAL: 7.830563907s

(1/2) Wrote gopkg.in/fsnotify/[email protected]
(2/2) Wrote golang.org/x/sys@9c60d1c508f5134d1ca726b4641db998f2523357
if [ ! -e /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson ]; then mkdir -p /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson && ln -s -f /root/go/src/github.com/img-configmap-reload/configmap-reload /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson; fi
cd /root/go/src/github.com/img-configmap-reload/configmap-reload/_gopath/src/github.com/jimmidyson/configmap-reload && CGO_ENABLED=0 GOARCH=s390x GOOS=linux go build --installsuffix cgo -ldflags="-s -w -extldflags '-static'" -a -o ./out/configmap-reload-linux-s390x configmap-reload.go

github.com/jimmidyson/configmap-reload/vendor/golang.org/x/sys/unix

vendor/golang.org/x/sys/unix/flock.go:18:42: undefined: Flock_t
vendor/golang.org/x/sys/unix/sockcmsg_linux.go:14:29: undefined: Ucred
vendor/golang.org/x/sys/unix/sockcmsg_linux.go:27:54: undefined: Ucred
vendor/golang.org/x/sys/unix/sockcmsg_unix.go:42:9: undefined: Cmsghdr
Makefile:45: recipe for target 'out/configmap-reload-linux-s390x' failed
make: *** [out/configmap-reload-linux-s390x] Error 2

Could you please help me in resolving the issue.

The error exec /configmap-reload: exec format error is given when attempting to run either the 0.10 or 0.11 images on arm nodes. 0.9 and older work correctly.

Hey @jimmidyson , should we cut a new release? Maybe v0.4.0?

CVE-2023-39533 exists in go v1.20.5 and resolved in v1.20.7. Could you please bump the version?

Alternatively, is configmap-reload even affected by this CVE?

From what I can tell, the latest version of configmap-reload v0.7.1 was built with golang 1.17.8

root@3669499cdcd0:/# strings /configmap-reload | grep '^go1'
go1.17.8

1.17.8 is vulnerable to CVE-2022-28327 and CVE-2022-24675, which were both fixed in 1.17.9.

Hi,

It would be good to add /ready and /healthy end-points to ensure service behaves well in a K8s environment. Do you already have a plan to implement this?

Thanks,
Teja

Please include the tool's release version in the image or binary (eg. in a -version command, the help text and/or as environment variable/label). This would be very convenient for sync jobs into private registries.

Hi, first of all thank you very much!

I noticed that the info logs are written to stderr, thus showing up as errors on the GCP logs explorer (Kubernetes):

Hello, given that upstream image NONROOT user is different than USER

NONROOT = 65532

vs

USER 65534

Dont we need

RUN chown -R 65534:65534 /home/nonroot

in order to avoid:

OCI runtime create failed: container_linux.go:346: starting container process caused "chdir to cwd (\"/home/nonroot\") set in config.json failed: permission denied"

I have been able to mitigate the issue in 2 ways:

1. Update the container scc to run as user: 65532
2. Set container workingDir: "/"

Configuring docker containers via environment variables is very common. Other than volumes its the main way to configure things.

You cannot change the value of an environment variable from the outside once the pod has started. So the only option to make the new ConfigMap value effective is to restart the pod.

So when the configmap-reload is watching some configmaps (using a selector or annotation?), any pod thats found which uses an environment variable for a value in the configmap should be auto-restarted when the ConfigMap changes.

Extra bonus points if we can deduce that the values mapped to the pod don't actually change ;) - we can test the values of the env vars in the pod to see if they are the same as the current values on the ConfigMap to minise restarts.

We could mimick a rolling update maybe; doing one pod at a time for a certain Deployment / ReplicaSet / RC / DC?

1. Support TLS 1.3 and 1.2 versions
2. ConfigMap-reload needs to support Mutual TLS if the target process is running in TLS mode
3. ConfigMap-reload can also expose metrics over Mutual TLS
4. TLS Server in ConfigMap-reload can wait for the TLS Certs to be available as part of the start-up process
5. TLS Certificates need to be automatically reloaded (if expired) using inotify mechanism

A recent experimental feature in Prometheus allows users to configure direct TLS support without the usage of proxies.
See prometheus/prometheus#8316, https://prometheus.io/docs/prometheus/latest/configuration/https/ and https://prometheus.io/docs/guides/tls-encryption/ for more details.

It would be useful to have some metrics:

• total number of reload events
• total number of watcher errors
• total number of webhook requests by status code
• duration of webhook request

Otherwise you might assume you applied configuration which actually wasn't loaded due to errors.
Related #7

Hello, what do you think about creating a new release with the new features ? It could be tagged v0.2 or if using semver create a v1.0.0 since it seems to be pretty stable :)

The latest version of configmap-reload v0.7.1 is built with Go 1.17.8

Currently, it is vulnerable to https://nvd.nist.gov/vuln/detail/cve-2022-28327 and https://nvd.nist.gov/vuln/detail/cve-2022-24675

Requesting for a new version built with Go >= 1.18.1, can you provide an expected timeline to resolve these issues?

Since Kubernetes 1.11 it's possible to share the IPC namespace, allowing to send signals between containers.
Since many services reload their config on a signal, e.g SIGHUP, it would make sense to add this to the configmap-reloader.

Specifically I like to reload fluentd on configmap change.

I'm running a Prometheus-operator deployment that uses configmap-reload image on a Rock64 ARM64 board.

I see in the logs the following error in journalctl:

Mar 13 10:15:27 kubenode2 kernel: configmap-reloa[9418]: syscall 1069
Mar 13 10:15:27 kubenode2 kernel: Code: f94023e4 f94027e5 f9400fe8 d4000001 (b13ffc1f)
Mar 13 10:15:27 kubenode2 kernel: CPU: 2 PID: 9418 Comm: configmap-reloa Not tainted 4.4.77-rockchip-ayufan-136 #1
Mar 13 10:15:27 kubenode2 kernel: Hardware name: Rockchip RK3328 Rock64 (DT)
Mar 13 10:15:27 kubenode2 kernel: task: ffffffc01eb28dc0 ti: ffffffc01eac8000 task.ti: ffffffc01eac8000
Mar 13 10:15:27 kubenode2 kernel: PC is at 0x76aa8
Mar 13 10:15:27 kubenode2 kernel: LR is at 0x76a88
Mar 13 10:15:27 kubenode2 kernel: pc : [<0000000000076aa8>] lr : [<0000000000076a88>] pstate: 20000000
Mar 13 10:15:27 kubenode2 kernel: sp : 0000004420119b30
Mar 13 10:15:27 kubenode2 kernel: x29: 0000000000000000 x28: 0000004420001080
Mar 13 10:15:27 kubenode2 kernel: x27: 0000000000387e60 x26: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x25: 0000000000000000 x24: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x23: 0000000000000000 x22: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x21: 0000000000000000 x20: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x19: 0000000000000000 x18: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x17: 000000442005c180 x16: 0000004420119c70
Mar 13 10:15:27 kubenode2 kernel: x15: 0000000000000001 x14: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x13: 000000442005c120 x12: 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x11: 0000000000000001 x10: 000000442005c180
Mar 13 10:15:27 kubenode2 kernel: x9 : 0000000000000000 x8 : 000000000000042d
Mar 13 10:15:27 kubenode2 kernel: x7 : 0000000000000002 x6 : 0000000000000001
Mar 13 10:15:27 kubenode2 kernel: x5 : 0000000000000000 x4 : 0000000000000000
Mar 13 10:15:27 kubenode2 kernel: x3 : ffffffffffffffff x2 : 0000000000000007
Mar 13 10:15:27 kubenode2 kernel: x1 : 0000004420119c28 x0 : 0000000000000005
Mar 13 10:15:27 kubenode2 kernel:

In the app logs, I see this error:

2018/03/13 15:14:39 Watching directory: "/etc/alertmanager/config"
2018/03/13 15:14:50 error: function not implemented
2018/03/13 15:14:55 error: function not implemented
2018/03/13 15:15:00 error: function not implemented
2018/03/13 15:15:11 error: function not implemented
2018/03/13 15:15:19 error: function not implemented

It's the only container I see this, any tips on what to investigate? Seems something related to epoll.

Hi,

what do you think about retrying failed webhooks? Maybe by using http://godoc.org/github.com/hashicorp/go-retryablehttp?

For example I updated a configmap while prometheus was in crash recovery, so it didn't reload the config. As a workaround I had to do some 'fake' changes to trigger a reload. I think you would usually want to reload to be retried.

I'm setting configmap-reload in the same Pod as Prometheus to monitor two directories :

      - name: configmap-reload
        image: docker.tuenti.io/monitoring/configmap-reload:v0.1
        args:
          - --volume-dir=/etc/prometheus/config
          - --volume-dir=/etc/prometheus/rules
          - --webhook-url=http://localhost:9090/-/reload
        volumeMounts:
        - name: config-volume
          mountPath: /etc/prometheus/config
          readOnly: true
        - name: rules-volume
          mountPath: /etc/prometheus/rules
          readOnly: true

Changing the config files in any of these volume dirs doesn't trigger a reload, if I keep just one of them - it works.

Am I missing something? any ideas?

Thanks!

currently no release notes / change log is maintained , we are checking through commits to see whats changes.

Hi,

We are an enterprise using configmap-reload and found there is a critical vulnerability impacting the latest version available, CVE-2021-38297.

It impacts the following versions of go which may be used by configmap-reload:
go:1.15.7
go:1.15.1
go:1.13.6
go:1.16.7
go:1.17.1
go:1.16.1
go:1.16.5

It is fixed in fixed in 1.17.2, 1.16.9.

Is there a possibility to point us to a fixed version if it exists, or help create a new version that includes a fix for the image?

Thank you,

• Patrick

Have too many CVE's in latest version of configmap-reload image version v0.10.0,
(6 Critical, 8 High, 8 Medium, 2 Low),

These all CVE's are coming from glibc Executable from busybox. Can we get this fixed in the latest planned version sooner because this has Critical CVE's as well.

Trivy scan Report shows below showstoppers -

CRITICAL

CVE-2021-35942
CVE-2022-23219
CVE-2022-23218

HIGH

CVE-2020-1752
CVE-2020-6096
CVE-2021-3326
CVE-2021-38604

I think it's worth mentioning in the documentation that it works for secrets too. Both to provide visibility to the feature and to lock it in as something users can rely on.

I assume it uses inotify or something similar, and not the kube API, in which case i would think also a sidecar container generating config files in a shared mount would also trigger it. If this is the case I think it would be useful to document the general versatility of this tool beyond its primary intended use-case of notifying on ConfigMap changes.

i'm trying to pass a username and password to the webhook url like:

https://username:[email protected]/configuration-as-code/reload

trows the following error:

$ k logs -f configmap-reloader-jenkins-non-prod-74bd578dbf-nlhj5
2018/10/01 12:46:03 Watching directory: "/var/jenkins_home/casc_configs/"
2018/10/01 12:49:40 config map updated
2018/10/01 12:49:42 error: Received response code 403 , expected 200
error: unexpected EOF

i can confirm that the username and the password are correct, tried that via curl and it works.

is this a limitation of net/http newRequest?

Fellas,
I am using the helm charts for stable/prometheus installations and inside it uses this "configmap-reload" as a separate container for reloading the configmap changes.
However, when editing the prometheus server configmap (using "kubectl edit configmap" command), the changes are not getting picked up.
Am I doing it the right way or am I missing something??

Any help please...

Cheers!