From e25264b9d65b13bc333fa0426d3ede122c9abea6ef23c0028a8639f52508c4db Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 27 Jan 2025 19:42:00 +0000 Subject: [PATCH 1/9] - Update to version 1.1.1: * fixed cli desc for store env var (#374) * updated versions for go/k8s/helm (#373) * updated version flag to internal/flags (#369) * renamed incorrectly named consts (#371) * added store env var (#370) * adding ignore errors and retries for continue on error/fail on error (#368) * updated/fixed hauler directory (#354) * standardize consts (#353) * removed cachedir code (#355) * removed k3s code (#352) * updated dependencies for go, helm, and k8s (#351) * [feature] build with boring crypto where available (#344) * updated workflow to goreleaser builds (#341) * added timeout to goreleaser workflow (#340) * trying new workflow build processes (#337) * improved workflow performance (#336) * have extract use proper ref (#335) * yet another workflow goreleaser fix (#334) * even more workflow fixes (#333) * added more fixes to github workflow (#332) * fixed typo in hauler store save (#331) * updates to fix build processes (#330) * added integration tests for non hauler tarballs (#325) * bump: golang >= 1.23.1 (#328) * add platform flag to store save (#329) * Update feature_request.md * updated/standardize command descriptions (#313) * use new annotation for 'store save' manifest.json (#324) * enable docker load for hauler tarballs (#320) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=11 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 20 +++++ _servicedata | 4 + hauler-1.0.1.tar.zst | 3 + hauler-1.1.1.tar.zst | 3 + hauler.changes | 200 +++++++++++++++++++++++++++++++++++++++++++ hauler.spec | 71 +++++++++++++++ vendor.tar.zst | 3 + 9 files changed, 328 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.0.1.tar.zst create mode 100644 hauler-1.1.1.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..392f994 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.1.1 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..9b688ef --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 090f4dc905e1d68b5a3e41e04feafe6063c85639 \ No newline at end of file diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst new file mode 100644 index 0000000..6bf5450 --- /dev/null +++ b/hauler-1.0.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5 +size 106519 diff --git a/hauler-1.1.1.tar.zst b/hauler-1.1.1.tar.zst new file mode 100644 index 0000000..fdc7c70 --- /dev/null +++ b/hauler-1.1.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc675db57a4fbf2ffd4ee694842ddbb15d4381d1de554931ed8875c928db5344 +size 25626074 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..1b1b33d --- /dev/null +++ b/hauler.changes @@ -0,0 +1,200 @@ +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..6f331fd --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.1.1 +%global git_commit 090f4dc905e1d68b5a3e41e04feafe6063c85639 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.23 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..13f2f6a --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cefc14ba14a1a5e1a0b942bd478148ed30f41901faa57482910ff2148c711b95 +size 6952009 -- 2.51.1 From 44ca2f997c9832999dd273e7ec0245a857be168d678fea5a246638c1723e6ed5 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 29 Jan 2025 10:26:42 +0000 Subject: [PATCH 2/9] - add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch to bump net/html dependencies (bsc#1235332, CVE-2024-45338) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=13 --- .gitattributes | 23 ++ .gitignore | 1 + ...les-group-across-1-directory-with-2-.patch | 106 +++++++++ _service | 20 ++ _servicedata | 4 + hauler-1.0.1.tar.zst | 3 + hauler-1.1.1.tar.zst | 3 + hauler.changes | 206 ++++++++++++++++++ hauler.spec | 72 ++++++ vendor.tar.zst | 3 + 10 files changed, 441 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.0.1.tar.zst create mode 100644 hauler-1.1.1.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch new file mode 100644 index 0000000..667b95b --- /dev/null +++ b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch @@ -0,0 +1,106 @@ +From 5f5cd64c2f6825da0a53e223c871e36b8035bf08 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri, 10 Jan 2025 19:59:36 -0500 +Subject: [PATCH] Bump the go_modules group across 1 directory with 2 updates + (#385) + +--- + go.mod | 4 ++-- + go.sum | 7 ++++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +Index: hauler-1.1.1/go.mod +=================================================================== +--- hauler-1.1.1.orig/go.mod ++++ hauler-1.1.1/go.mod +@@ -22,7 +22,7 @@ require ( + github.com/sirupsen/logrus v1.9.3 + github.com/spf13/afero v1.10.0 + github.com/spf13/cobra v1.8.1 +- golang.org/x/sync v0.8.0 ++ golang.org/x/sync v0.10.0 + helm.sh/helm/v3 v3.16.3 + k8s.io/apimachinery v0.31.3 + k8s.io/client-go v0.31.3 +@@ -149,12 +149,12 @@ require ( + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect +- golang.org/x/crypto v0.28.0 // indirect +- golang.org/x/net v0.30.0 // indirect ++ golang.org/x/crypto v0.31.0 // indirect ++ golang.org/x/net v0.33.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect +- golang.org/x/sys v0.26.0 // indirect +- golang.org/x/term v0.25.0 // indirect +- golang.org/x/text v0.19.0 // indirect ++ golang.org/x/sys v0.28.0 // indirect ++ golang.org/x/term v0.27.0 // indirect ++ golang.org/x/text v0.21.0 // indirect + golang.org/x/time v0.7.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect +Index: hauler-1.1.1/go.sum +=================================================================== +--- hauler-1.1.1.orig/go.sum ++++ hauler-1.1.1/go.sum +@@ -559,8 +559,8 @@ golang.org/x/crypto v0.0.0-2019101119153 + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= ++golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= ++golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -630,8 +630,8 @@ golang.org/x/net v0.0.0-20201209123823-a + golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= ++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= ++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= + golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= + golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +@@ -653,8 +653,8 @@ golang.org/x/sync v0.0.0-20200317015054- + golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= ++golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -701,11 +701,11 @@ golang.org/x/sys v0.0.0-20220811171246-f + golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= ++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= ++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= ++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -714,8 +714,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/ + golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= ++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= ++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/_service b/_service new file mode 100644 index 0000000..392f994 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.1.1 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..9b688ef --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 090f4dc905e1d68b5a3e41e04feafe6063c85639 \ No newline at end of file diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst new file mode 100644 index 0000000..6bf5450 --- /dev/null +++ b/hauler-1.0.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5 +size 106519 diff --git a/hauler-1.1.1.tar.zst b/hauler-1.1.1.tar.zst new file mode 100644 index 0000000..fdc7c70 --- /dev/null +++ b/hauler-1.1.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc675db57a4fbf2ffd4ee694842ddbb15d4381d1de554931ed8875c928db5344 +size 25626074 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..ae414d5 --- /dev/null +++ b/hauler.changes @@ -0,0 +1,206 @@ +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..bceb316 --- /dev/null +++ b/hauler.spec @@ -0,0 +1,72 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.1.1 +%global git_commit 090f4dc905e1d68b5a3e41e04feafe6063c85639 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Patch1: 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.23 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..0d7581e --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a6eccef9b281dd41ad3c098ec8f9df96cb6c9581431d1b2c6b1f1ed0b2f86c01 +size 7141388 -- 2.51.1 From 38f624a2dc9c12fc3783aefc87fc4f1ec657787096566f6f2eef9e7eab2f67e3 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 15 Apr 2025 08:17:15 +0000 Subject: [PATCH 3/9] - Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): * cleanup new tlog flag typos and add shorthand (#426) * default public transparency log verification to false to be airgap friendly but allow override (#425) * bump github.com/golang-jwt/jwt/v4 (#423) * bump the go_modules group across 1 directory with 2 updates (#422) * bump github.com/go-jose/go-jose/v3 (#417) * bump github.com/go-jose/go-jose/v4 (#415) * clear default manifest name if product flag used with sync (#412) * updates for v1.2.0 (#408) * fixed remote code (#407) * added remote file fetch to load (#406) * added remote and multiple file fetch to sync (#405) * updated save flag and related logs (#404) * updated load flag and related logs [breaking change] (#403) * updated sync flag and related logs [breaking change] (#402) * upgraded api update to v1/updated dependencies (#400) * fixed consts for oci declarations (#398) * fix for correctly grabbing platform post cosign 2.4 updates (#393) * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) * Bump the go_modules group across 1 directory with 2 updates (#385) * replace mholt/archiver with mholt/archives (#384) * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) * cleaned up registry and improved logging (#378) * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) - drop 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch (upstream) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=15 --- .gitattributes | 23 ++ .gitignore | 1 + ...les-group-across-1-directory-with-2-.patch | 106 ++++++++ _service | 20 ++ _servicedata | 4 + hauler-1.0.1.tar.zst | 3 + hauler-1.1.1.tar.zst | 3 + hauler-1.2.2.tar.zst | 3 + hauler.changes | 237 ++++++++++++++++++ hauler.spec | 71 ++++++ vendor.tar.zst | 3 + 11 files changed, 474 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.0.1.tar.zst create mode 100644 hauler-1.1.1.tar.zst create mode 100644 hauler-1.2.2.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch new file mode 100644 index 0000000..667b95b --- /dev/null +++ b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch @@ -0,0 +1,106 @@ +From 5f5cd64c2f6825da0a53e223c871e36b8035bf08 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri, 10 Jan 2025 19:59:36 -0500 +Subject: [PATCH] Bump the go_modules group across 1 directory with 2 updates + (#385) + +--- + go.mod | 4 ++-- + go.sum | 7 ++++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +Index: hauler-1.1.1/go.mod +=================================================================== +--- hauler-1.1.1.orig/go.mod ++++ hauler-1.1.1/go.mod +@@ -22,7 +22,7 @@ require ( + github.com/sirupsen/logrus v1.9.3 + github.com/spf13/afero v1.10.0 + github.com/spf13/cobra v1.8.1 +- golang.org/x/sync v0.8.0 ++ golang.org/x/sync v0.10.0 + helm.sh/helm/v3 v3.16.3 + k8s.io/apimachinery v0.31.3 + k8s.io/client-go v0.31.3 +@@ -149,12 +149,12 @@ require ( + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect +- golang.org/x/crypto v0.28.0 // indirect +- golang.org/x/net v0.30.0 // indirect ++ golang.org/x/crypto v0.31.0 // indirect ++ golang.org/x/net v0.33.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect +- golang.org/x/sys v0.26.0 // indirect +- golang.org/x/term v0.25.0 // indirect +- golang.org/x/text v0.19.0 // indirect ++ golang.org/x/sys v0.28.0 // indirect ++ golang.org/x/term v0.27.0 // indirect ++ golang.org/x/text v0.21.0 // indirect + golang.org/x/time v0.7.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect +Index: hauler-1.1.1/go.sum +=================================================================== +--- hauler-1.1.1.orig/go.sum ++++ hauler-1.1.1/go.sum +@@ -559,8 +559,8 @@ golang.org/x/crypto v0.0.0-2019101119153 + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= ++golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= ++golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -630,8 +630,8 @@ golang.org/x/net v0.0.0-20201209123823-a + golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= ++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= ++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= + golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= + golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +@@ -653,8 +653,8 @@ golang.org/x/sync v0.0.0-20200317015054- + golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= ++golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -701,11 +701,11 @@ golang.org/x/sys v0.0.0-20220811171246-f + golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= ++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= ++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= ++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -714,8 +714,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/ + golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= ++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= ++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/_service b/_service new file mode 100644 index 0000000..4dab802 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.2.2 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..b80f844 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 5021f3ab6b364a5172fe9fece97bf3742ab1b4ce \ No newline at end of file diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst new file mode 100644 index 0000000..6bf5450 --- /dev/null +++ b/hauler-1.0.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5 +size 106519 diff --git a/hauler-1.1.1.tar.zst b/hauler-1.1.1.tar.zst new file mode 100644 index 0000000..fdc7c70 --- /dev/null +++ b/hauler-1.1.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc675db57a4fbf2ffd4ee694842ddbb15d4381d1de554931ed8875c928db5344 +size 25626074 diff --git a/hauler-1.2.2.tar.zst b/hauler-1.2.2.tar.zst new file mode 100644 index 0000000..2326104 --- /dev/null +++ b/hauler-1.2.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f34eff91b437a9f770f5be93351572e1adec68ab62986c437ed2dd9723539b6 +size 25649917 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..bc24dde --- /dev/null +++ b/hauler.changes @@ -0,0 +1,237 @@ +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..563f5f8 --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.2.2 +%global git_commit 5021f3ab6b364a5172fe9fece97bf3742ab1b4ce +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.23 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..607b907 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:54073645173a4b92301b7702bcf0ff6d11046cde548706bb8076593672cd840c +size 11991411 -- 2.51.1 From 927c41f45837acb44a5097796f1f7cd72a29c13ccaeef18d26079bace635a12b Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 28 Apr 2025 10:00:05 +0000 Subject: [PATCH 4/9] - Update to version 1.2.3: * formatting and flag text updates * add keyless signature verification (#434) * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) * add --only flag to hauler store copy (for images) (#429) * fix tlog verification error/warning output (#428) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=17 --- .gitattributes | 23 ++ .gitignore | 1 + ...les-group-across-1-directory-with-2-.patch | 106 ++++++++ _service | 20 ++ _servicedata | 4 + hauler-1.0.1.tar.zst | 3 + hauler-1.1.1.tar.zst | 3 + hauler-1.2.2.tar.zst | 3 + hauler-1.2.3.tar.zst | 3 + hauler.changes | 247 ++++++++++++++++++ hauler.spec | 71 +++++ vendor.tar.zst | 3 + 12 files changed, 487 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.0.1.tar.zst create mode 100644 hauler-1.1.1.tar.zst create mode 100644 hauler-1.2.2.tar.zst create mode 100644 hauler-1.2.3.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch new file mode 100644 index 0000000..667b95b --- /dev/null +++ b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch @@ -0,0 +1,106 @@ +From 5f5cd64c2f6825da0a53e223c871e36b8035bf08 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri, 10 Jan 2025 19:59:36 -0500 +Subject: [PATCH] Bump the go_modules group across 1 directory with 2 updates + (#385) + +--- + go.mod | 4 ++-- + go.sum | 7 ++++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +Index: hauler-1.1.1/go.mod +=================================================================== +--- hauler-1.1.1.orig/go.mod ++++ hauler-1.1.1/go.mod +@@ -22,7 +22,7 @@ require ( + github.com/sirupsen/logrus v1.9.3 + github.com/spf13/afero v1.10.0 + github.com/spf13/cobra v1.8.1 +- golang.org/x/sync v0.8.0 ++ golang.org/x/sync v0.10.0 + helm.sh/helm/v3 v3.16.3 + k8s.io/apimachinery v0.31.3 + k8s.io/client-go v0.31.3 +@@ -149,12 +149,12 @@ require ( + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect +- golang.org/x/crypto v0.28.0 // indirect +- golang.org/x/net v0.30.0 // indirect ++ golang.org/x/crypto v0.31.0 // indirect ++ golang.org/x/net v0.33.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect +- golang.org/x/sys v0.26.0 // indirect +- golang.org/x/term v0.25.0 // indirect +- golang.org/x/text v0.19.0 // indirect ++ golang.org/x/sys v0.28.0 // indirect ++ golang.org/x/term v0.27.0 // indirect ++ golang.org/x/text v0.21.0 // indirect + golang.org/x/time v0.7.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect +Index: hauler-1.1.1/go.sum +=================================================================== +--- hauler-1.1.1.orig/go.sum ++++ hauler-1.1.1/go.sum +@@ -559,8 +559,8 @@ golang.org/x/crypto v0.0.0-2019101119153 + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= ++golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= ++golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -630,8 +630,8 @@ golang.org/x/net v0.0.0-20201209123823-a + golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= ++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= ++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= + golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= + golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +@@ -653,8 +653,8 @@ golang.org/x/sync v0.0.0-20200317015054- + golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= ++golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -701,11 +701,11 @@ golang.org/x/sys v0.0.0-20220811171246-f + golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= ++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= ++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= ++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -714,8 +714,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/ + golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= ++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= ++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/_service b/_service new file mode 100644 index 0000000..425bfd4 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.2.3 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..e4c2923 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + ea53002f3a8447147ad1d4b03ab8dae0b2e2392e \ No newline at end of file diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst new file mode 100644 index 0000000..6bf5450 --- /dev/null +++ b/hauler-1.0.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5 +size 106519 diff --git a/hauler-1.1.1.tar.zst b/hauler-1.1.1.tar.zst new file mode 100644 index 0000000..fdc7c70 --- /dev/null +++ b/hauler-1.1.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc675db57a4fbf2ffd4ee694842ddbb15d4381d1de554931ed8875c928db5344 +size 25626074 diff --git a/hauler-1.2.2.tar.zst b/hauler-1.2.2.tar.zst new file mode 100644 index 0000000..2326104 --- /dev/null +++ b/hauler-1.2.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f34eff91b437a9f770f5be93351572e1adec68ab62986c437ed2dd9723539b6 +size 25649917 diff --git a/hauler-1.2.3.tar.zst b/hauler-1.2.3.tar.zst new file mode 100644 index 0000000..6f9af55 --- /dev/null +++ b/hauler-1.2.3.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44f2c6011998d1f4790ff737400a885198af4354a1f3d2fd6a086f10f62b1116 +size 25650129 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..bb9b3d4 --- /dev/null +++ b/hauler.changes @@ -0,0 +1,247 @@ +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..3bf0681 --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.2.3 +%global git_commit 5021f3ab6b364a5172fe9fece97bf3742ab1b4ce +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.23 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..7fce3a2 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6a115aef5b728f8b17378d9e91c0153bce46704e0a073a9c9452a9fa1bae836 +size 11976263 -- 2.51.1 From cad49e9205dab165ef8f1fd8971050259be2a9f6129181f0459203dae838570c Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 1 May 2025 16:37:05 +0000 Subject: [PATCH 5/9] - update to 1.2.4 (CVE-2025-22872, bsc#1241804): * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory * minor tests updates OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=19 --- .gitattributes | 23 ++ .gitignore | 1 + ...les-group-across-1-directory-with-2-.patch | 106 ++++++++ _service | 20 ++ _servicedata | 4 + hauler-1.0.1.tar.zst | 3 + hauler-1.1.1.tar.zst | 3 + hauler-1.2.2.tar.zst | 3 + hauler-1.2.3.tar.zst | 3 + hauler-1.2.4.tar.zst | 3 + hauler.changes | 255 ++++++++++++++++++ hauler.spec | 71 +++++ vendor.tar.zst | 3 + 13 files changed, 498 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.0.1.tar.zst create mode 100644 hauler-1.1.1.tar.zst create mode 100644 hauler-1.2.2.tar.zst create mode 100644 hauler-1.2.3.tar.zst create mode 100644 hauler-1.2.4.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch new file mode 100644 index 0000000..667b95b --- /dev/null +++ b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch @@ -0,0 +1,106 @@ +From 5f5cd64c2f6825da0a53e223c871e36b8035bf08 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri, 10 Jan 2025 19:59:36 -0500 +Subject: [PATCH] Bump the go_modules group across 1 directory with 2 updates + (#385) + +--- + go.mod | 4 ++-- + go.sum | 7 ++++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +Index: hauler-1.1.1/go.mod +=================================================================== +--- hauler-1.1.1.orig/go.mod ++++ hauler-1.1.1/go.mod +@@ -22,7 +22,7 @@ require ( + github.com/sirupsen/logrus v1.9.3 + github.com/spf13/afero v1.10.0 + github.com/spf13/cobra v1.8.1 +- golang.org/x/sync v0.8.0 ++ golang.org/x/sync v0.10.0 + helm.sh/helm/v3 v3.16.3 + k8s.io/apimachinery v0.31.3 + k8s.io/client-go v0.31.3 +@@ -149,12 +149,12 @@ require ( + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect +- golang.org/x/crypto v0.28.0 // indirect +- golang.org/x/net v0.30.0 // indirect ++ golang.org/x/crypto v0.31.0 // indirect ++ golang.org/x/net v0.33.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect +- golang.org/x/sys v0.26.0 // indirect +- golang.org/x/term v0.25.0 // indirect +- golang.org/x/text v0.19.0 // indirect ++ golang.org/x/sys v0.28.0 // indirect ++ golang.org/x/term v0.27.0 // indirect ++ golang.org/x/text v0.21.0 // indirect + golang.org/x/time v0.7.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect +Index: hauler-1.1.1/go.sum +=================================================================== +--- hauler-1.1.1.orig/go.sum ++++ hauler-1.1.1/go.sum +@@ -559,8 +559,8 @@ golang.org/x/crypto v0.0.0-2019101119153 + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= ++golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= ++golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -630,8 +630,8 @@ golang.org/x/net v0.0.0-20201209123823-a + golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= ++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= ++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= + golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= + golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +@@ -653,8 +653,8 @@ golang.org/x/sync v0.0.0-20200317015054- + golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= ++golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -701,11 +701,11 @@ golang.org/x/sys v0.0.0-20220811171246-f + golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= ++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= ++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= ++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -714,8 +714,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/ + golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= ++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= ++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/_service b/_service new file mode 100644 index 0000000..dec08bf --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.2.4 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..e0779f8 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + e089c3187973854504691e970d0b89dfd8b62ce1 \ No newline at end of file diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst new file mode 100644 index 0000000..6bf5450 --- /dev/null +++ b/hauler-1.0.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5 +size 106519 diff --git a/hauler-1.1.1.tar.zst b/hauler-1.1.1.tar.zst new file mode 100644 index 0000000..fdc7c70 --- /dev/null +++ b/hauler-1.1.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc675db57a4fbf2ffd4ee694842ddbb15d4381d1de554931ed8875c928db5344 +size 25626074 diff --git a/hauler-1.2.2.tar.zst b/hauler-1.2.2.tar.zst new file mode 100644 index 0000000..2326104 --- /dev/null +++ b/hauler-1.2.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f34eff91b437a9f770f5be93351572e1adec68ab62986c437ed2dd9723539b6 +size 25649917 diff --git a/hauler-1.2.3.tar.zst b/hauler-1.2.3.tar.zst new file mode 100644 index 0000000..6f9af55 --- /dev/null +++ b/hauler-1.2.3.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44f2c6011998d1f4790ff737400a885198af4354a1f3d2fd6a086f10f62b1116 +size 25650129 diff --git a/hauler-1.2.4.tar.zst b/hauler-1.2.4.tar.zst new file mode 100644 index 0000000..f1d2d46 --- /dev/null +++ b/hauler-1.2.4.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3070b21a004652f52101254415771447b26ab3b8fb90419ea0f6558f2929b403 +size 25650322 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..594cfa9 --- /dev/null +++ b/hauler.changes @@ -0,0 +1,255 @@ +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..459e90f --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.2.4 +%global git_commit 5021f3ab6b364a5172fe9fece97bf3742ab1b4ce +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.23 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..d18d7ea --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b7927d5ea4bff63f08ee679a8ae11cb0b3805a1474f37f1515cf715785349f3 +size 11988961 -- 2.51.1 From 59b8881cf25f672453343d3b824366ca98c81f3dedea2d12fdf0aa42340a25cc Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 21 Jul 2025 12:28:48 +0000 Subject: [PATCH 6/9] - update to 1.2.5: * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in the go_modules group across 1 directory * deprecate auth from hauler store copy * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the go_modules group across 1 directory * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 in the go_modules group across 1 directory * upgraded go and dependencies versions - Update to version 1.2.5: * upgraded go and dependencies versions (#444) * Bump github.com/go-viper/mapstructure/v2 (#442) * bump github.com/cloudflare/circl (#441) * deprecate auth from hauler store copy (#440) * Bump github.com/open-policy-agent/opa (#438) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=21 --- .gitattributes | 23 ++ .gitignore | 1 + ...les-group-across-1-directory-with-2-.patch | 106 +++++++ _service | 20 ++ _servicedata | 4 + hauler-1.0.1.tar.zst | 3 + hauler-1.1.1.tar.zst | 3 + hauler-1.2.2.tar.zst | 3 + hauler-1.2.3.tar.zst | 3 + hauler-1.2.4.tar.zst | 3 + hauler-1.2.5.tar.zst | 3 + hauler.changes | 278 ++++++++++++++++++ hauler.spec | 71 +++++ vendor.tar.zst | 3 + 14 files changed, 524 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.0.1.tar.zst create mode 100644 hauler-1.1.1.tar.zst create mode 100644 hauler-1.2.2.tar.zst create mode 100644 hauler-1.2.3.tar.zst create mode 100644 hauler-1.2.4.tar.zst create mode 100644 hauler-1.2.5.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch new file mode 100644 index 0000000..667b95b --- /dev/null +++ b/0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch @@ -0,0 +1,106 @@ +From 5f5cd64c2f6825da0a53e223c871e36b8035bf08 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri, 10 Jan 2025 19:59:36 -0500 +Subject: [PATCH] Bump the go_modules group across 1 directory with 2 updates + (#385) + +--- + go.mod | 4 ++-- + go.sum | 7 ++++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +Index: hauler-1.1.1/go.mod +=================================================================== +--- hauler-1.1.1.orig/go.mod ++++ hauler-1.1.1/go.mod +@@ -22,7 +22,7 @@ require ( + github.com/sirupsen/logrus v1.9.3 + github.com/spf13/afero v1.10.0 + github.com/spf13/cobra v1.8.1 +- golang.org/x/sync v0.8.0 ++ golang.org/x/sync v0.10.0 + helm.sh/helm/v3 v3.16.3 + k8s.io/apimachinery v0.31.3 + k8s.io/client-go v0.31.3 +@@ -149,12 +149,12 @@ require ( + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect +- golang.org/x/crypto v0.28.0 // indirect +- golang.org/x/net v0.30.0 // indirect ++ golang.org/x/crypto v0.31.0 // indirect ++ golang.org/x/net v0.33.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect +- golang.org/x/sys v0.26.0 // indirect +- golang.org/x/term v0.25.0 // indirect +- golang.org/x/text v0.19.0 // indirect ++ golang.org/x/sys v0.28.0 // indirect ++ golang.org/x/term v0.27.0 // indirect ++ golang.org/x/text v0.21.0 // indirect + golang.org/x/time v0.7.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect +Index: hauler-1.1.1/go.sum +=================================================================== +--- hauler-1.1.1.orig/go.sum ++++ hauler-1.1.1/go.sum +@@ -559,8 +559,8 @@ golang.org/x/crypto v0.0.0-2019101119153 + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= ++golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= ++golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -630,8 +630,8 @@ golang.org/x/net v0.0.0-20201209123823-a + golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= ++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= ++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= + golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= + golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +@@ -653,8 +653,8 @@ golang.org/x/sync v0.0.0-20200317015054- + golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= ++golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -701,11 +701,11 @@ golang.org/x/sys v0.0.0-20220811171246-f + golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= ++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= ++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= ++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -714,8 +714,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/ + golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= ++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= ++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/_service b/_service new file mode 100644 index 0000000..afa51e7 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.2.5 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..ebd9b9a --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 3e44c53b757f3cc0a7eb8f00f101752766d0bf49 \ No newline at end of file diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst new file mode 100644 index 0000000..6bf5450 --- /dev/null +++ b/hauler-1.0.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5 +size 106519 diff --git a/hauler-1.1.1.tar.zst b/hauler-1.1.1.tar.zst new file mode 100644 index 0000000..fdc7c70 --- /dev/null +++ b/hauler-1.1.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc675db57a4fbf2ffd4ee694842ddbb15d4381d1de554931ed8875c928db5344 +size 25626074 diff --git a/hauler-1.2.2.tar.zst b/hauler-1.2.2.tar.zst new file mode 100644 index 0000000..2326104 --- /dev/null +++ b/hauler-1.2.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f34eff91b437a9f770f5be93351572e1adec68ab62986c437ed2dd9723539b6 +size 25649917 diff --git a/hauler-1.2.3.tar.zst b/hauler-1.2.3.tar.zst new file mode 100644 index 0000000..6f9af55 --- /dev/null +++ b/hauler-1.2.3.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44f2c6011998d1f4790ff737400a885198af4354a1f3d2fd6a086f10f62b1116 +size 25650129 diff --git a/hauler-1.2.4.tar.zst b/hauler-1.2.4.tar.zst new file mode 100644 index 0000000..f1d2d46 --- /dev/null +++ b/hauler-1.2.4.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3070b21a004652f52101254415771447b26ab3b8fb90419ea0f6558f2929b403 +size 25650322 diff --git a/hauler-1.2.5.tar.zst b/hauler-1.2.5.tar.zst new file mode 100644 index 0000000..8ee67be --- /dev/null +++ b/hauler-1.2.5.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aca7f2046c3abe745bcb6da2f5a191decd393491c8bbb89ae027e7d9cdb54326 +size 25649934 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..3c8b3a4 --- /dev/null +++ b/hauler.changes @@ -0,0 +1,278 @@ +------------------------------------------------------------------- +Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller + +- update to 1.2.5: + * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in + the go_modules group across 1 directory + * deprecate auth from hauler store copy + * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the + go_modules group across 1 directory + * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 + in the go_modules group across 1 directory + * upgraded go and dependencies versions + +------------------------------------------------------------------- +Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller + +- Update to version 1.2.5: + * upgraded go and dependencies versions (#444) + * Bump github.com/go-viper/mapstructure/v2 (#442) + * bump github.com/cloudflare/circl (#441) + * deprecate auth from hauler store copy (#440) + * Bump github.com/open-policy-agent/opa (#438) + +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..2ee51c3 --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.2.5 +%global git_commit 5021f3ab6b364a5172fe9fece97bf3742ab1b4ce +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.24 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..b3c61eb --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3c10790a99c5cf078d50efe81e32f89aa32428b3d0d1f0a1bbf910e023d3bdd +size 12078094 -- 2.51.1 From 6fa1715698218108e90ba100bfdcbd1582218a4d7728257cca75c175d9cb3247 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 21 Jul 2025 12:29:18 +0000 Subject: [PATCH 7/9] - update to 1.2.5 (bsc#1246722, CVE-2025-46569): the go_modules group across 1 directory (CVE-2025-46569) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=22 --- hauler.changes | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hauler.changes b/hauler.changes index 3c8b3a4..4ded577 100644 --- a/hauler.changes +++ b/hauler.changes @@ -1,9 +1,9 @@ ------------------------------------------------------------------- Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller -- update to 1.2.5: +- update to 1.2.5 (bsc#1246722, CVE-2025-46569): * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in - the go_modules group across 1 directory + the go_modules group across 1 directory (CVE-2025-46569) * deprecate auth from hauler store copy * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the go_modules group across 1 directory -- 2.51.1 From 705fe01c7ad714816db217fb6f2354037015f965d8cd3469a95b16dc088dfe16 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 27 Oct 2025 08:44:28 +0000 Subject: [PATCH 8/9] - Update to version 1.3.0: * bump the go_modules group across 1 directory with 2 updates (#455) * upgraded versions/dependencies/deprecations (#454) * allow loading of docker tarballs (#452) * bump the go_modules group across 1 directory with 2 updates (#449) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=24 --- .gitattributes | 23 ++++ .gitignore | 1 + _service | 20 +++ _servicedata | 4 + hauler-1.3.0.tar.zst | 3 + hauler.changes | 287 +++++++++++++++++++++++++++++++++++++++++++ hauler.spec | 71 +++++++++++ vendor.tar.zst | 3 + 8 files changed, 412 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.3.0.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..4ed74b8 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.3.0 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..dc341b7 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 0fafca87f99117cc22215bee22e036d3dbfcd4e8 \ No newline at end of file diff --git a/hauler-1.3.0.tar.zst b/hauler-1.3.0.tar.zst new file mode 100644 index 0000000..df6f9fd --- /dev/null +++ b/hauler-1.3.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d9c9863cece3041f0458a8c33c459d66d7441293fa9d9b52ed61b0a23a0b8a4 +size 25650444 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..4be128f --- /dev/null +++ b/hauler.changes @@ -0,0 +1,287 @@ +------------------------------------------------------------------- +Mon Oct 27 08:34:44 UTC 2025 - Dirk Müller + +- Update to version 1.3.0: + * bump the go_modules group across 1 directory with 2 updates (#455) + * upgraded versions/dependencies/deprecations (#454) + * allow loading of docker tarballs (#452) + * bump the go_modules group across 1 directory with 2 updates (#449) + +------------------------------------------------------------------- +Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller + +- update to 1.2.5 (bsc#1246722, CVE-2025-46569): + * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in + the go_modules group across 1 directory (CVE-2025-46569) + * deprecate auth from hauler store copy + * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the + go_modules group across 1 directory + * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 + in the go_modules group across 1 directory + * upgraded go and dependencies versions + +------------------------------------------------------------------- +Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller + +- Update to version 1.2.5: + * upgraded go and dependencies versions (#444) + * Bump github.com/go-viper/mapstructure/v2 (#442) + * bump github.com/cloudflare/circl (#441) + * deprecate auth from hauler store copy (#440) + * Bump github.com/open-policy-agent/opa (#438) + +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..a12776b --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.3.0 +%global git_commit 0fafca87f99117cc22215bee22e036d3dbfcd4e8 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.25 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..964d278 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e723fc483bb17c7000883f22432e2e08d630d6254a29e9f73b18d97c99cf67dd +size 12303261 -- 2.51.1 From b395c09e15cc4f99a7cb0069c384af4473fd9befad8ba514536252eb735dc00f Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 10 Nov 2025 15:15:18 +0000 Subject: [PATCH 9/9] - Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, bsc#1248937, CVE-2025-58058): * bump github.com/containerd/containerd (#474) * another fix to tests for new tests (#472) * fixed typo in testdata (#471) * fixed/cleaned new tests (#470) * trying a new way for hauler testing (#467) * update for cosign v3 verify (#469) * added digests view to info (#465) * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457) * update oras-go to v1.2.7 for security patches (#464) * update cosign to v3.0.2+hauler.1 (#463) * fixed homebrew directory deprecation (#462) * add registry logout command (#460) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=26 --- .gitattributes | 23 ++++ .gitignore | 1 + _service | 20 +++ _servicedata | 4 + hauler-1.3.0.tar.zst | 3 + hauler-1.3.1.tar.zst | 3 + hauler.changes | 306 +++++++++++++++++++++++++++++++++++++++++++ hauler.spec | 71 ++++++++++ vendor.tar.zst | 3 + 9 files changed, 434 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.3.0.tar.zst create mode 100644 hauler-1.3.1.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..08ec141 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.3.1 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..604c7ea --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 5edc8802eec20adc7d0b75847f77446d6f531012 \ No newline at end of file diff --git a/hauler-1.3.0.tar.zst b/hauler-1.3.0.tar.zst new file mode 100644 index 0000000..df6f9fd --- /dev/null +++ b/hauler-1.3.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d9c9863cece3041f0458a8c33c459d66d7441293fa9d9b52ed61b0a23a0b8a4 +size 25650444 diff --git a/hauler-1.3.1.tar.zst b/hauler-1.3.1.tar.zst new file mode 100644 index 0000000..31cc228 --- /dev/null +++ b/hauler-1.3.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29d2ba55aa1559f81cec9d929459cbe1661b84b55be47b8d3bbcfed15cdd17ae +size 25692295 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..c10d8ac --- /dev/null +++ b/hauler.changes @@ -0,0 +1,306 @@ +------------------------------------------------------------------- +Mon Nov 10 15:08:12 UTC 2025 - Dirk Müller + +- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, + bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, + bsc#1248937, CVE-2025-58058): + * bump github.com/containerd/containerd (#474) + * another fix to tests for new tests (#472) + * fixed typo in testdata (#471) + * fixed/cleaned new tests (#470) + * trying a new way for hauler testing (#467) + * update for cosign v3 verify (#469) + * added digests view to info (#465) + * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457) + * update oras-go to v1.2.7 for security patches (#464) + * update cosign to v3.0.2+hauler.1 (#463) + * fixed homebrew directory deprecation (#462) + * add registry logout command (#460) + +------------------------------------------------------------------- +Mon Oct 27 08:34:44 UTC 2025 - Dirk Müller + +- Update to version 1.3.0: + * bump the go_modules group across 1 directory with 2 updates (#455) + * upgraded versions/dependencies/deprecations (#454) + * allow loading of docker tarballs (#452) + * bump the go_modules group across 1 directory with 2 updates (#449) + +------------------------------------------------------------------- +Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller + +- update to 1.2.5 (bsc#1246722, CVE-2025-46569): + * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in + the go_modules group across 1 directory (CVE-2025-46569) + * deprecate auth from hauler store copy + * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the + go_modules group across 1 directory + * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 + in the go_modules group across 1 directory + * upgraded go and dependencies versions + +------------------------------------------------------------------- +Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller + +- Update to version 1.2.5: + * upgraded go and dependencies versions (#444) + * Bump github.com/go-viper/mapstructure/v2 (#442) + * bump github.com/cloudflare/circl (#441) + * deprecate auth from hauler store copy (#440) + * Bump github.com/open-policy-agent/opa (#438) + +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..e5f1e1c --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.3.1 +%global git_commit 5edc8802eec20adc7d0b75847f77446d6f531012 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.25 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..478ac39 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e51a71e7ed12d40cafa4b56c098c168e17182280dc2669b60fb73241c87a58b4 +size 15144124 -- 2.51.1