OCPBUGS-7683 OCPBUGS-5172: Bump helm to v3.11.1 to address CVE-2023-25165 #19
Conversation
openshift-ci-robot
added
jira/severity-low
|
@tmshort: This pull request references Jira Issue OCPBUGS-7683, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/retest |
(cherry picked from commit 0aa06ea) Signed-off-by: Todd Short <[email protected]>
…1.11 Signed-off-by: Joe Lanford <[email protected]> (cherry picked from commit c9aec01) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: akihikokuroda <[email protected]> (cherry picked from commit ba86667) Signed-off-by: Todd Short <[email protected]>
…n slightly (cherry picked from commit c0103c7) Signed-off-by: Todd Short <[email protected]>
Our finalizer code is not integrated with our updater code, which results in two multiple update calls being made during a single reconcile when a bundle is deleted. The first call removes the finalizer, the second attempts to update the status. The second call fails because the bundle has been deleted in etcd after the finalizer is removed with the first call. This commit fully rips out the bundle updater and refactors things to ensure there’s never more than one status and bundle update per reconcile. (cherry picked from commit d60b6f0) Signed-off-by: Todd Short <[email protected]>
Also, start using build tags to make it easier to change defaults for downstream builds. Signed-off-by: Joe Lanford <[email protected]> (cherry picked from commit 0191183) Signed-off-by: Todd Short <[email protected]>
This commit fully rips out the bundle deployment updater and refactors things to ensure there’s never more than one status and bundle deployment update per reconcile. (cherry picked from commit 214a389) Signed-off-by: Todd Short <[email protected]>
(cherry picked from commit ed64be5) Signed-off-by: Todd Short <[email protected]>
(cherry picked from commit 1c97e66) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: Tyler Slaton <[email protected]> (cherry picked from commit 1bea93e) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: akihikokuroda <[email protected]> (cherry picked from commit 34a1338) Signed-off-by: Todd Short <[email protected]>
(cherry picked from commit 1ee22ee) Signed-off-by: Todd Short <[email protected]>
We currently have a large amount of copy/pasted code in our various in-tree provisioners. We have three bundle provisioners: plain, registry, and helm. And we have two BD provisioners: plain and helm. A very large majority of the code in each of these provisioners is identical, and the only differences are in: - how the bundle content is validated and converted before storing - how the bundle content is validated and rendered into a helm chart before being applied to the cluster. This PR introduces a few interfaces to capture these implementation-specific differences along with generic bundle and BD reconcilers that use these interfaces such that the copy/pasted code is now shared and DRY-ed up. (cherry picked from commit d9899da) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: akihikokuroda <[email protected]> (cherry picked from commit 59f2b1e) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: akihikokuroda <[email protected]> (cherry picked from commit e430327) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: akihikokuroda <[email protected]> (cherry picked from commit 549b3f0) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: akihikokuroda <[email protected]> (cherry picked from commit 9759cb8) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: timflannagan <[email protected]> (cherry picked from commit 6a56409) Signed-off-by: Todd Short <[email protected]>
Signed-off-by: timflannagan <[email protected]> (cherry picked from commit f4fc68d) Signed-off-by: Todd Short <[email protected]>
|
/retest |
|
/retest |
tmshort
force-pushed
the
CVE-2023-25165
branch
from
fd5a24c to
37ad8cd
Compare
|
/retest |
tmshort
force-pushed
the
CVE-2023-25165
branch
from
37ad8cd to
57e2f0d
Compare
|
I already test it with pre-merged. the details is in the https://issues.redhat.com/browse/OCPBUGS-7683 |
Yes, actively looking at e2e failure; which has never passed per the job history. |
|
/retest |
Disable (via Pending) one of the e2e tests. The command is erroring, but with an incorrect error code. This can be looked at later. Signed-off-by: Todd Short <[email protected]>
This copies everything from operator-framework/rukpak, which really ends up being just the `Makefile` and `Dockerfile`. Both the `Dockerfile` and the `Makefile` have been tweaked to work with upstream changes. Versions of the locally built components previously in `/bin`, now in `hack/tools/bin`, are based on the `go.mod` in the new location rather than versions in the `Makefile`. CI Fixes: * Swap test-e2e and e2e and disable e2e * Add -mod=mod to local builds of tools Signed-off-by: Todd Short <[email protected]>
|
@tmshort: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
The e2e tests are disabled in the repo; this repo was never configured properly to run the ci/prow/e2e tests, and it's beyond the scope of this PR, which is mostly a merge from upstream. Adding those tests would be a project on its own. |
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
/lgtm |
|
@tmshort: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-7683 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tmshort
changed the title
|
@tmshort: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-5172 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@tmshort: Jira Issue OCPBUGS-5172 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.12 |
|
@tmshort: #19 failed to apply on top of branch "release-4.12": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Update go modules and vendor directory
Update manifests
Also addresses OCPBUGS-5172 for another helm CVE (update helm to v3.10.3)
This pulls in all changes from operator-framework/rukpak.