feat: add kube-ovn

Signed-off-by: Kevin Carter <[email protected]>

Author: cloudnull

.github/workflows/container-build-kube-ovn.yaml

@@ -0,0 +1,155 @@
+---
+name: Create and publish a kube-ovn image
+
+permissions:
+  actions: read
+  contents: read
+  id-token: write
+  packages: write
+  pull-requests: write
+  security-events: write
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/container-build-kube-ovn.yaml
+      - ContainerFiles/kube-ovn
+  schedule:
+    - cron: '0 0 * * 0'  # Run Weekly at midnight UTC
+  workflow_dispatch:
+    inputs:
+      kube-ovn-version:
+        description: 'Version of Kube-OVN to use'
+        required: true
+        default: "v1.14.4"
+        type: choice
+        options:
+          - "v1.13.14"
+          - "v1.14.4"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/kube-ovn
+  # NOTE(cloudnull): This is used to parse the workflow_dispatch inputs, sadly the inputs are not available in the
+  #                  workflow_dispatch event, so they're being stored in the environment variables. This is a
+  #                  workaround until there's a better way to handle this.
+  kube_ovn: >
+    ["v1.14.4", "v1.13.14"]
+jobs:
+  init:
+    runs-on: ubuntu-latest
+    outputs:
+      kube-ovn-version: ${{ steps.generate-matrix.outputs.kube_ovn }}
+    steps:
+      - name: generate-matrix
+        id: generate-matrix
+        run: |
+          if [ "${{ github.event_name == 'workflow_dispatch' }}" = "true" ]; then
+            kube_ovn="$(echo '${{ github.event.inputs.kube-ovn-version }}' | jq -R '[select(length>0)]' | jq -c '.')"
+          fi
+          echo "kube_ovn=${kube_ovn:-${{ env.kube_ovn }}}" >> $GITHUB_OUTPUT
+  build-and-push-image:
+    needs:
+      - init
+    strategy:
+      matrix:
+        kube-ovn-version: ${{ fromJSON(needs.init.outputs.kube-ovn-version) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Dynamically set MY_DATE environment variable
+        run: echo "MY_DATE=$(date +%s)" >> $GITHUB_ENV
+      - name: Dynamically set environment variables
+        run: |
+          VERSION=$(echo -n "${{ matrix.kube-ovn-version }}" | awk -F'/' '{($2=="" ? x=$1 : x=$2); print x}')
+          echo "OS_VERSION_PARSE=${VERSION}" >> $GITHUB_ENV
+          NAME=$(echo -n "${{ env.IMAGE_NAME }}" | awk -F'/' '{print $NF}')
+          echo "CATEGORY_NAME=${VERSION}-${NAME}" >> $GITHUB_ENV
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ContainerFiles/kube-ovn
+          push: false
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: |
+            ${{ env.IMAGE_NAME }}:local
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            KUBE_OVN_VERSION=${{ matrix.kube-ovn-version }}
+            CACHEBUST=${{ github.sha }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}
+        with:
+          image-ref: '${{ env.IMAGE_NAME }}:local'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - name: Upload Trivy scan results to GitHub Security tab
+        continue-on-error: true
+        if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: "${{ env.CATEGORY_NAME }}"
+      - name: Run Trivy scanner
+        uses: aquasecurity/[email protected]
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          image-ref: '${{ env.IMAGE_NAME }}:local'
+          output: trivy.txt
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - name: Create trivy output file in markdown format
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          if [[ -s trivy.txt ]]; then
+              echo "### Security Output" > trivy-output.txt
+              echo '```terraform' >> trivy-output.txt
+              cat trivy.txt >> trivy-output.txt
+              echo '```' >> trivy-output.txt
+          fi
+      - name: Publish Trivy Output to Summary
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          if [[ -s trivy-output.txt ]]; then
+            {
+              cat trivy-output.txt
+            } >> $GITHUB_STEP_SUMMARY
+          fi
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ContainerFiles/kube-ovn
+          push: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.kube-ovn-version }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.kube-ovn-version }}-latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.kube-ovn-version }}-${{ env.MY_DATE }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            KUBE_OVN_VERSION=${{ matrix.kube-ovn-version }}
+            CACHEBUST=${{ github.sha }}

ContainerFiles/kube-ovn

@@ -0,0 +1,54 @@
+# syntax = docker/dockerfile:1
+# This Dockerfile uses multi-stage build to customize DEV and PROD images:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+
+ARG KUBE_OVN_VERSION=v1.14.4
+FROM golang:1.24-bookworm AS dependency_build
+ARG KUBE_OVN_VERSION=v1.14.4
+ARG CACHEBUST=0
+RUN export DEBIAN_FRONTEND=noninteractive \
+  && apt-get update && apt-get upgrade -y \
+  && apt-get install --no-install-recommends -y \
+                                             git \
+                                             build-essential
+RUN git clone --recursive https://github.com/kubeovn/kube-ovn /opt/kube-ovn
+WORKDIR /opt/kube-ovn
+RUN git checkout ${KUBE_OVN_VERSION} && \
+    git submodule update --init --recursive && \
+    git submodule foreach --recursive git reset --hard && \
+    git submodule foreach --recursive git clean -fdx
+COPY scripts/kube-ovn.sh /opt/
+RUN bash /opt/kube-ovn.sh
+RUN make build-go
+RUN mv /opt/kube-ovn/dist/images/logrotate/* /etc/logrotate.d/ \
+  && rm -rf /opt/kube-ovn/dist/images/logrotate
+
+
+FROM kubeovn/kube-ovn-base:${KUBE_OVN_VERSION}
+# NOTE(cloudnull): Resolves CVE CVE-2025-47268,CVE-2025-48964,CVE-2025-1795,CVE-2025-40909,CVE-2024-12718,CVE-2025-22870,CVE-2025-22872,
+#                               CVE-2025-32988,CVE-2025-32990,CVE-2025-4138,CVE-2025-4330,CVE-2025-4435,CVE-2025-4516,CVE-2025-4517,
+#                               CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5702,CVE-2025-5987,
+#                               CVE-2025-5994,CVE-2025-6020,CVE-2025-6395,CVE-2025-6965
+RUN curl -L http://archive.ubuntu.com/ubuntu/pool/main/a/apt/apt_2.7.14build2_amd64.deb -o /tmp/apt.deb \
+  && curl -L http://launchpadlibrarian.net/611243934/gpgv_2.2.27-3ubuntu2.1_amd64.deb -o /tmp/gpgv.deb \
+  && dpkg -i /tmp/apt.deb /tmp/gpgv.deb \
+  && rm -f /tmp/apt.deb /tmp/gpgv.deb \
+  && apt-get update && apt-get upgrade -y \
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y
+COPY --from=dependency_build /opt/kube-ovn/dist/images/* /kube-ovn/
+COPY --from=dependency_build /etc/logrotate.d/* /etc/logrotate.d/
+# NOTE(cloudnull): Lifted the following steps from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile
+#                  The kube-ovn-cmd binary is used by all the kube-ovn components.
+RUN ln -sf /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
+    ln -sf /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
+    ln -sf /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-webhook && \
+    ln -sf /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
+    ln -sf /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller && \
+    ln -sf /kube-ovn/kube-ovn-controller /kube-ovn/kube-ovn-pinger && \
+    setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
+    setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-controller && \
+    setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
+RUN ln -sf /kube-ovn/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
+RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
+WORKDIR /kube-ovn

docs/containers/kube-ovn.md

@@ -0,0 +1,28 @@
+# kube-ovn
+
+The `kube-ovn` image is built from [ContainerFiles/kube-ovn](https://github.com/rackerlabs/genestack-images/blob/main/ContainerFiles/kube-ovn). This image has no dedicated CVE script; security updates are included during the build.
+
+This container packages the kube-ovn service for use in the stack. The build installs the required packages, applies security updates and configuration, and prepares the service for integration.
+
+``` mermaid
+graph LR
+    A[Base image] --> B[Install packages]
+    B --> C[Apply CVE patches]
+    C --> D[Configure kube-ovn]
+    D --> E[Container ready]
+    E --> Keystone
+```
+
+??? example "ContainerFile used for the build"
+
+    ``` docker
+    --8<-- "ContainerFiles/kube-ovn"
+    ```
+
+## Dependencies
+
+- Builds From [Upstream Debian](https://hub.docker.com/_/debian)
+
+## Container Image
+
+The container image is available on [Github Container Registry](https://github.com/rackerlabs/genestack-images/pkgs/container/genestack-images%2Fkube-ovn).

scripts/kube-ovn.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+if [ ${KUBE_OVN_VERSION:-master} = "v1.14.4" ]; then
+    # CVE fixes CVE-2025-54388,CVE-2025-22870,CVE-2025-22872,CVE-2025-22868
+    go get -u github.com/docker/docker
+    go get -u golang.org/x/net
+    go get -u golang.org/x/oauth2
+elif [ ${KUBE_OVN_VERSION:-master} = "v1.13.14" ]; then
+    # CVE fixes CVE-2025-22870,CVE-2025-22872,CVE-2025-22868
+    go get -u golang.org/x/net
+    go get -u golang.org/x/oauth2
+fi