diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml index 4fb15bc..cb3caa0 100644 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -48,7 +48,7 @@ body: required: true - type: input - id: version + id: ssot-version attributes: label: Which version of netbox-ssot are you running description: | diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ab5935f..7ef2c7a 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -18,16 +18,13 @@ on: jobs: build_and_push: runs-on: ubuntu-latest - permissions: - contents: read - packages: write steps: - name: Login to ghcr.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: src-csm - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.GHCR_PAT }} - name: Set up QEMU uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3 diff --git a/.github/workflows/check_links.yml b/.github/workflows/check_links.yml index 45893ef..3e4bf06 100644 --- a/.github/workflows/check_links.yml +++ b/.github/workflows/check_links.yml @@ -8,6 +8,8 @@ on: jobs: linkChecker: + permissions: + issues: write # required for peter-evans/create-issue-from-file runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -16,7 +18,6 @@ jobs: id: lychee uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0 with: - token: ${{ secrets.GH_TOKEN }} fail: false - name: Create Issue From File @@ -26,4 +27,3 @@ jobs: title: Link Checker Report content-filepath: ./lychee/out.md labels: report, automated issue - token: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index ffd91d1..0000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,16 +0,0 @@ -# name: Check for git secrets with Gitleaks -# on: -# pull_request: -# branches: -# - main -# jobs: -# scan: -# name: gitleaks -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 -# with: -# fetch-depth: 0 -# - uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2 -# env: -# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/gorelease.yml b/.github/workflows/gorelease.yml index c625ece..45a00e8 100644 --- a/.github/workflows/gorelease.yml +++ b/.github/workflows/gorelease.yml @@ -4,6 +4,7 @@ on: push: tags: - v\d+\.\d+\.\d+ + workflow_dispatch: jobs: goreleaser: @@ -25,3 +26,5 @@ jobs: distribution: goreleaser version: '~> v2' args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..0be34c5 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,25 @@ +name: OSV-Scanner PR Scan + +# Change "main" to your default branch if you use a different name, i.e. "master" +on: + pull_request: + branches: [main] + merge_group: + branches: [main] + +permissions: + # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117 + actions: read + # Require writing security events to upload SARIF file to security tab + security-events: write + # Only need to read contents + contents: read + +jobs: + scan-pr: + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.1" + with: + scan-args: |- + -r + --skip-git + ./ diff --git a/.github/workflows/replace_version.yml b/.github/workflows/replace_version.yml index c6b2736..12acada 100644 --- a/.github/workflows/replace_version.yml +++ b/.github/workflows/replace_version.yml @@ -7,13 +7,11 @@ on: jobs: replace_version: runs-on: ubuntu-latest - permissions: - contents: write steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.SVC_PAT }} ref: main - name: Replace image version in k8s manifests diff --git a/.github/workflows/semantic_tag.yml b/.github/workflows/semantic_tag.yml index 1fbfad4..b757ef5 100644 --- a/.github/workflows/semantic_tag.yml +++ b/.github/workflows/semantic_tag.yml @@ -7,8 +7,6 @@ on: jobs: release: runs-on: ubuntu-latest - permissions: - contents: write steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -22,5 +20,5 @@ jobs: - name: Release env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.SVC_PAT }} run: npx semantic-release@24.2.3 diff --git a/Dockerfile b/Dockerfile index 4d6efc6..d9da730 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,6 +50,15 @@ RUN addgroup -S -g 10001 netbox && \ chown -R netbox:netbox /app USER netbox:netbox +# Also allow deprecated ssh algorithims for older devices +# See https://github.com/SRC-doo/netbox-ssot/issues/498 +RUN mkdir -p /home/netbox/.ssh/ && \ +cat < /home/netbox/.ssh/config +Host * + HostKeyAlgorithms +ssh-rsa + PubkeyAcceptedKeyTypes +ssh-rsa +EOF + WORKDIR /app COPY --from=builder --chown=netbox:netbox /app/cmd/netbox-ssot/main ./main diff --git a/README.md b/README.md index 419f9af..899c319 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ Example configuration can be found [here](#example-config). | `source.ignoreAssetTags` | Don't sync asset tags of devices. | all | bool | [true, false] | false | No | | `source.ignoreSerialNumbers` | Don't sync serial numbers of devices. | all | bool | [true, false] | false | No | | `source.ignoreVMTemplates` | Don't sync vm templates. | [**vmware**] | bool | [true, false] | false | No | -| `source.datacenterClusterGroupRelations` | Regex relations in format `regex = clusterGroupName`, that map each datacenter that satisfies regex to clusterGroupname (see [#130](https://github.com/bl4ko/netbox-ssot/issues/130)). | [**vmware**, **ovirt**] | []string | any | [] | No | +| `source.datacenterClusterGroupRelations` | Regex relations in format `regex = clusterGroupName`, that map each datacenter that satisfies regex to clusterGroupname. | [**vmware**, **ovirt**] | []string | any | [] | No | | `source.hostSiteRelations` | Regex relations in format `regex = siteName`, that map each host that satisfies regex to site. | all | []string | any | [] | No | | `source.clusterSiteRelations` | Regex relations in format `regex = siteName`, that map each cluster that satisfies regex to site. | all | []string | any | [] | No | | `source.clusterTenantRelations` | Regex relations in format `regex = tenantName`, that map each cluster that satisfies regex to tenant. | all | []string | any | [] | No | diff --git a/go.sum b/go.sum index fa3c2dc..655d711 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/PaloAltoNetworks/pango v0.10.2 h1:Tjn6vIzzAq6Dd7N0mDuiP8w8pz8k5W9zz/TTSUQCsQY= github.com/PaloAltoNetworks/pango v0.10.2/go.mod h1:GztcRnVLur7G+VFG7Z5ZKNFgScLtsycwPMp1qVebE5g= -github.com/bl4ko/go-devicetype-library v0.1.54 h1:tf/yps5QnTGaVWmIAKOp0QfQndPAwrgi6s4eI5Mk2yk= -github.com/bl4ko/go-devicetype-library v0.1.54/go.mod h1:Pzm1BlRyR4uECezsRINDA6ZieFPumdFL+6yySpXM6t8= github.com/bl4ko/go-devicetype-library v0.1.55 h1:LiWK/qMUbNXubzuyNIZD+kMal3sHhVUmgm74x5OHmPI= github.com/bl4ko/go-devicetype-library v0.1.55/go.mod h1:Pzm1BlRyR4uECezsRINDA6ZieFPumdFL+6yySpXM6t8= github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY= diff --git a/internal/netbox/inventory/delete_items.go b/internal/netbox/inventory/delete_items.go index ebd3fbe..663ba29 100644 --- a/internal/netbox/inventory/delete_items.go +++ b/internal/netbox/inventory/delete_items.go @@ -128,6 +128,8 @@ func (nbi *NetboxInventory) softDelete(orphanItem objects.OrphanItem) error { _, err = service.Patch[objects.WirelessLAN](nbi.OrphanManager.Ctx, nbi.NetboxAPI, orphanItem.GetID(), diffMap) case *objects.WirelessLANGroup: _, err = service.Patch[objects.WirelessLANGroup](nbi.OrphanManager.Ctx, nbi.NetboxAPI, orphanItem.GetID(), diffMap) + case *objects.MACAddress: + _, err = service.Patch[objects.MACAddress](nbi.OrphanManager.Ctx, nbi.NetboxAPI, orphanItem.GetID(), diffMap) default: return fmt.Errorf("unsupported type for orphan item%T", orphanItem) } diff --git a/internal/source/ios-xe/iosxe.go b/internal/source/ios-xe/iosxe.go index fffdd35..ecd66f5 100644 --- a/internal/source/ios-xe/iosxe.go +++ b/internal/source/ios-xe/iosxe.go @@ -33,7 +33,9 @@ func (is *IOSXESource) Init() error { options.WithAuthUsername(is.SourceConfig.Username), options.WithAuthPassword(is.SourceConfig.Password), options.WithPort(is.SourceConfig.Port), - options.WithAuthNoStrictKey(), // inside container we can't confirm ssh key + options.WithAuthNoStrictKey(), + // See https://github.com/SRC-doo/netbox-ssot/issues/498 + options.WithSSHConfigFile("~/.ssh/config"), ) if err != nil { return fmt.Errorf("failed to create driver: %s", err) diff --git a/internal/source/vmware/vmware_sync.go b/internal/source/vmware/vmware_sync.go index 07b43a9..f38c71a 100644 --- a/internal/source/vmware/vmware_sync.go +++ b/internal/source/vmware/vmware_sync.go @@ -579,7 +579,7 @@ func (vc *VmwareSource) collectHostPhysicalNicData( vlanIDMap[portgroupData.vlanID] = vlan } } else { - vlanName := fmt.Sprintf("VLAN%04d_%s", portgroupData.vlanID, portgroupName) + vlanName := portgroupName vlanSite, err := common.MatchVlanToSite(vc.Ctx, nbi, vlanName, vc.SourceConfig.VlanSiteRelations) if err != nil { return nil, "", fmt.Errorf("match vlan to site: %s", err) diff --git a/k8s/cronjob.yaml b/k8s/cronjob.yaml index 51cd641..f40ec85 100644 --- a/k8s/cronjob.yaml +++ b/k8s/cronjob.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: netbox-ssot - image: ghcr.io/src-doo/netbox-ssot:v1.9.18 + image: ghcr.io/src-doo/netbox-ssot:v1.10.1 imagePullPolicy: Always resources: limits: diff --git a/k8s/cronjob_with_cert.yaml b/k8s/cronjob_with_cert.yaml index 02121c9..813456f 100644 --- a/k8s/cronjob_with_cert.yaml +++ b/k8s/cronjob_with_cert.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: netbox-ssot - image: ghcr.io/src-doo/netbox-ssot:v1.9.18 + image: ghcr.io/src-doo/netbox-ssot:v1.10.1 imagePullPolicy: Always resources: limits: