deviceinsight · whackenb · Mar 24, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Add OSS Index Maven plugin for CVE auditing to POM
 
+### Fixed
+- Fix compilation issue with JDK 21 by updating Lombok dependency
+- Fix CVEs by updating Kubernetes client and Jackson dependencies
+- Fix OpenJDK deprecation by migrating base image to Eclipse Temurin
 
 ## [1.1.0]
 ### Fixed

diff --git a/pom.xml b/pom.xml
@@ -14,17 +14,21 @@
 		<maven.compiler.source>11</maven.compiler.source>
 		<maven.compiler.target>11</maven.compiler.target>
 
-		<lombok.version>1.18.2</lombok.version>
-		<fabric-k8s-client.version>4.0.0</fabric-k8s-client.version>
-		<jackson.version>2.11.1</jackson.version>
+		<lombok.version>1.18.36</lombok.version>
+		<fabric8-kubernetes-client.version>7.1.0</fabric8-kubernetes-client.version>
+		<jackson.version>2.18.3</jackson.version>
+		<netty.version>4.1.119.Final</netty.version>
 
-		<maven-assembly-plugin.version>3.1.0</maven-assembly-plugin.version>
-		<docker-plugin.version>0.33.0</docker-plugin.version>
-		<helm-maven-plugin.version>2.4.1</helm-maven-plugin.version>
-		<gitflow-maven-plugin.version>1.14.0</gitflow-maven-plugin.version>
-		<helm.version>2.16.9</helm.version>
+		<maven-assembly-plugin.version>3.7.1</maven-assembly-plugin.version>
+		<maven-deploy-plugin.version>3.1.4</maven-deploy-plugin.version>
+		<docker-maven-plugin.version>0.44.0</docker-maven-plugin.version>
+		<helm-maven-plugin.version>2.13.0</helm-maven-plugin.version>
+		<gitflow-maven-plugin.version>1.21.0</gitflow-maven-plugin.version>
+		<ossindex-maven-plugin.version>3.2.0</ossindex-maven-plugin.version>
 
-		<helm.repository.url>https://kubernetes-charts.storage.googleapis.com</helm.repository.url>
+		<helm.version>3.17.0</helm.version>
+
+		<docker.baseImage>library/eclipse-temurin:11-jdk</docker.baseImage>
 	</properties>
 
 	<organization>
@@ -51,7 +55,14 @@
 			<dependency>
 				<groupId>io.fabric8</groupId>
 				<artifactId>kubernetes-client-bom</artifactId>
-				<version>${fabric-k8s-client.version}</version>
+				<version>${fabric8-kubernetes-client.version}</version>
+				<scope>import</scope>
+				<type>pom</type>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-bom</artifactId>
+				<version>${netty.version}</version>
 				<scope>import</scope>
 				<type>pom</type>
 			</dependency>
@@ -92,6 +103,7 @@
 	<build>
 		<plugins>
 			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-assembly-plugin</artifactId>
 				<version>${maven-assembly-plugin.version}</version>
 				<configuration>
@@ -115,16 +127,34 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.sonatype.ossindex.maven</groupId>
+				<artifactId>ossindex-maven-plugin</artifactId>
+				<version>${ossindex-maven-plugin.version}</version>
+				<configuration>
+					<fail>true</fail>
+					<reportFile>${project.build.directory}/audit-report.txt</reportFile>
+				</configuration>
+				<executions>
+					<execution>
+						<id>audit-dependencies</id>
+						<phase>validate</phase>
+						<goals>
+							<goal>audit</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
 			<plugin>
 				<groupId>io.fabric8</groupId>
 				<artifactId>docker-maven-plugin</artifactId>
-				<version>${docker-plugin.version}</version>
+				<version>${docker-maven-plugin.version}</version>
 				<configuration>
 					<images>
 						<image>
 							<name>deviceinsight/k8s-secret-provisioner</name>
 							<build>
-								<from>library/openjdk:11-jdk</from>
+								<from>${docker.baseImage}</from>
 								<tags>
 									<tag>${project.version}</tag>
 								</tags>
@@ -166,7 +196,6 @@
 				<version>${helm-maven-plugin.version}</version>
 				<configuration>
 					<chartName>k8s-secret-provisioner</chartName>
-					<chartRepoUrl>${helm.repository.url}</chartRepoUrl>
 					<helmVersion>${helm.version}</helmVersion>
 					<skipSnapshots>false</skipSnapshots>
 				</configuration>
@@ -193,6 +222,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-deploy-plugin</artifactId>
+				<version>${maven-deploy-plugin.version}</version>
 				<configuration>
 					<!-- disable JAR deployment, because only the Docker Image is used via the Helm Chart -->
 					<skip>true</skip>

diff --git a/src/main/java/com/deviceinsight/k8s/secretprovisioner/SecretProvisioner.java b/src/main/java/com/deviceinsight/k8s/secretprovisioner/SecretProvisioner.java
@@ -5,7 +5,8 @@
 import com.deviceinsight.k8s.secretprovisioner.config.SecretIdentifier;
 
 import io.fabric8.kubernetes.api.model.Secret;
-import io.fabric8.kubernetes.client.NamespacedKubernetesClient;
+import io.fabric8.kubernetes.api.model.SecretBuilder;
+import io.fabric8.kubernetes.client.KubernetesClient;
 import lombok.extern.java.Log;
 
 import java.util.Map;
@@ -16,7 +17,7 @@
 @Log
 public class SecretProvisioner {
 
-	public void provisionSecrets(NamespacedKubernetesClient client, SecretConfiguration config) {
+	public void provisionSecrets(KubernetesClient client, SecretConfiguration config) {
 		log.info("Provisioning secrets with configuration " + config);
 
 		var managedSecrets = config.getSecrets().stream()
@@ -27,10 +28,9 @@ public void provisionSecrets(NamespacedKubernetesClient client, SecretConfigurat
 						}));
 
 		managedSecrets.forEach((k, v) -> ensureSecretExists(client, k, v, config.getRelease()));
-
 	}
 
-	private static void ensureSecretExists(NamespacedKubernetesClient client, SecretIdentifier identifier,
+	private static void ensureSecretExists(KubernetesClient client, SecretIdentifier identifier,
 			Map<String, String> secretData, String release) {
 
 		var secret = Optional.ofNullable(
@@ -42,21 +42,21 @@ private static void ensureSecretExists(NamespacedKubernetesClient client, Secret
 		}
 	}
 
-	private static void createSecret(NamespacedKubernetesClient client, SecretIdentifier identifier,
+	private static void createSecret(KubernetesClient client, SecretIdentifier identifier,
 			Map<String, String> secretData, String release) {
 
 		log.info(String.format("Creating secret %s with %s keys", identifier, secretData.keySet()));
-		client.secrets().inNamespace(identifier.getNamespace()).createNew()
+		client.secrets().inNamespace(identifier.getNamespace()).resource(new SecretBuilder()
 				.withNewMetadata()
 				.withName(identifier.getName())
 				.addToLabels("release", release)
 				.addToLabels("app", "k8s-secret-provisioner")
-				.endMetadata()
-				.addToData(secretData)
-				.done();
+				.endMetadata().addToData(secretData)
+				.build())
+				.create();
 	}
 
-	private static void editSecret(NamespacedKubernetesClient client, Secret secret, Map<String, String> secretData) {
+	private static void editSecret(KubernetesClient client, Secret secret, Map<String, String> secretData) {
 		var metaData = secret.getMetadata();
 		var existingKeys = secret.getData().keySet();
 		var secretDataToAdd = secretData.entrySet().stream()
@@ -65,13 +65,12 @@ private static void editSecret(NamespacedKubernetesClient client, Secret secret,
 
 		if (!secretDataToAdd.isEmpty()) {
 			log.info(String.format("Adding secret keys %s to secret %s", metaData, secretDataToAdd));
-			client.secrets().inNamespace(metaData.getNamespace()).withName(metaData.getName()).edit()
-					.addToData(secretDataToAdd)
-					.done();
+			client.secrets()
+					.inNamespace(metaData.getNamespace())
+					.withName(metaData.getName())
+					.edit(s -> new SecretBuilder(s).addToData(secretDataToAdd).build());
 		} else {
 			log.info(String.format("Skipping modification of secret %s, since all keys are present", metaData));
 		}
 	}
-
-
 }
diff --git a/src/main/java/com/deviceinsight/k8s/secretprovisioner/SecretProvisionerApp.java b/src/main/java/com/deviceinsight/k8s/secretprovisioner/SecretProvisionerApp.java
@@ -4,7 +4,7 @@
 import com.deviceinsight.k8s.secretprovisioner.config.InvalidConfigurationFileException;
 import com.deviceinsight.k8s.secretprovisioner.config.SecretConfiguration;
 
-import io.fabric8.kubernetes.client.DefaultKubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
 import lombok.extern.java.Log;
 
 import java.io.File;
@@ -22,7 +22,7 @@ public static void main(String[] args) throws IOException {
 		}
 
 		var config = SecretConfiguration.fromFile(configurationFile);
-		try (var client = new DefaultKubernetesClient()) {
+		try (var client = new KubernetesClientBuilder().build()) {
 			new SecretProvisioner().provisionSecrets(client, config);
 		} catch (RuntimeException e) {
 			log.log(Level.SEVERE, "Failed to provision secrets", e);