🚀 V2.9.0 al2023#96
Open
vigneshb027 wants to merge 1722 commits intomainfrom
Open
Conversation
…130_fix 🐛fix: classic elb fix for TLS issues
…ror_msg 🌱 ROSA Modified rosacontrolplane_controller version error messages.
…_acct_doc_for_rosa 🐛 ROSA: Add instructions to activate a newly created service account
…ane, EKS fargate profile, and managed machine pools Signed-off-by: Robin Ketelbuters <robin.ketelbuters@gmail.com>
Signed-off-by: Michael Shen <mishen@umich.edu>
Signed-off-by: Alexandr Demicev <alexandr.demicev@suse.com>
…rclusterdependencies ✨ Wait for AWSCluster dependent object to be deleted
🌱 Fix test version string in order to use manifests from source files
…anagedMachinePools Co-authored-by: Cameron McAvoy <cmcavoy@indeed.com>
📖 Clarify that the ROSA provider is currently for ROSA HCP clusters
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.36.0. - [Commits](golang/net@v0.33.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…ot/go_modules/hack/tools/golang.org/x/net-0.36.0 🌱 Bump golang.org/x/net from 0.33.0 to 0.36.0 in /hack/tools
…wsmachines ✨ Add AWSMachines to back the EC2 instances in AWSMachinePools and AWSManagedMachinePools
📖 Fix link to AWS ROSA documentation
…936-upstream ✨Add support for public-only networking
Signed-off-by: Richard Case <richard.case@outlook.com>
This graduate the garbage collection feature from experimental to beta. Signed-off-by: Richard Case <richard.case@outlook.com>
…ease28 🌱 chore: update metadata for v2.8.x release series
Sets paused condition on AWSMachine Sets paused on AWSCluster Sets paused condition on AWSManagedMachinePool Sets paused condition for ROSAMachinePool Sets paused condition for ROSAControlPlane Sets paused condition on AWSManagedControlPlane Sets paused condition on EKSConfig Adds paused helper functions This change adds the paused helper utilities from upstream cluster api. It modifies them to not require v1beta2conditions. This is so we can use similar code until the conditions changes are out of beta.
…ndition ✨ Set Paused condition on reconciled resources status upon reconciliation being paused
Start with "unmanaged", or non-hosted control planes. Other controllers that can be optional, such as the EKS, ROSA, and MachinePool ones, are currently managed with feature flags. When they graudate, they should be controlled by the `--disable-controllers` flag.
Updates AWSManagedCluster with Paused Condition This change: - Updates the API for AWSManagedCluster to include a conditions field. - Sets `Paused` in the conditions if the controller is paused. Updates ROSACluster with Paused Condition This change: - Updates the API for ROSACluster to include a conditions field. - Sets `Paused` in the conditions if the controller is paused. Updates generated API types
✨ Support for BoostrapSelfManagedAddons flag for EKS cluster creation
…dcluster-paused ✨ Updates AWSManagedCluster, ROSACluster with Paused Condition
While kubernetes-sigs#5394 and kubernetes-sigs#5383 added support for patching a cluster/status in the cluster.x-k8s.io API group, neither added the patch permission for the associated controllers. This commit adds RBAC support for patching cluster/status Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com>
* Migrate node-related code to AWS SDK v2 * remove Session() awsclient.ConfigProvider * fix lint error * fix lint error * fix e2e job * rebase * fix e2e job * debug debug
…network-interface 🐛 do not set tags on existing network interfaces when creating ec2 instances
…ot/go_modules/hack/tools/github.com/go-viper/mapstructure/v2-2.3.0 🌱 Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 in /hack/tools
…ot/go_modules/github.com/go-viper/mapstructure/v2-2.3.0 🌱 Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
…ot/go_modules/github.com/cloudflare/circl-1.6.1 🌱 Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1
✨ Migrate Secrets Manager packages to AWS SDK v2
🐛 ROSA: Fix update channel group
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Pankaj Walke <punkwalker@gmail.com>
…ot/github_actions/actions/checkout-5 🌱 Bump actions/checkout from 4 to 5
🐛 Fix test log message
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.68.0 to 1.4.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v0.68.0...v1.4.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Per kubernetes/kubernetes@3f07fc3, the `--short` option on `kubectl version` has been removed for the 1.35 alpha, which is being used by the conformance tests. Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com>
Signed-off-by: Pankaj Walke <punkwalker@gmail.com>
🐛 Remove deleted `--short` option for kubectl
⚠️ AWS SDK V1 cleanup
…ot/go_modules/hack/tools/github.com/open-policy-agent/opa-1.4.0 🌱 Bump github.com/open-policy-agent/opa from 0.68.0 to 1.4.0 in /hack/tools
🌱 e2e: create tarball as artifact with pod logs for debugging
…ve-hacktools 🌱 remove kpromo from hack/tools/go.mod and directly install it instead
…nly preference Adds webhook validation to block conflicting configuration where CapacityReservationPreference is set to 'capacity-reservations-only' while MarketType is 'Spot', as this combination is not supported by AWS.
🐛 Add validation to prevent Spot instances with CapacityReservationsOnly preference
…q/nodeadm-upstream ✨ Implement nodeadm bootstrapping type
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+9
to
+18
| runs-on: ubuntu-latest | ||
| name: verify PR contents | ||
| steps: | ||
| - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # tag=v4.2.2 | ||
|
|
||
| - name: Check if PR title is valid | ||
| env: | ||
| PR_TITLE: ${{ github.event.pull_request.title }} | ||
| run: | | ||
| ./hack/verify-pr-title.sh "${PR_TITLE}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, fix this by declaring a permissions: block either at the workflow root (applies to all jobs) or inside the specific job, granting only the scopes required. For this workflow, the steps only need to read the repository contents, so contents: read is sufficient. Because the query suggestion mentions that as a minimal starting point and the job doesn’t push or modify repository resources, we should restrict the token accordingly.
The best minimal, non-functional-change fix is to add a workflow-level permissions: section directly below the name: line. This will apply to all jobs (currently only verify) and ensures GITHUB_TOKEN is limited to contents: read. No other permissions (like pull-requests: write) are required for the existing steps. Concretely, in .github/workflows/pr-verify.yml, insert:
permissions:
contents: readafter line 1 (name: PR verify). No new imports or actions are required.
Suggested changeset
1
.github/workflows/pr-verify.yml
| @@ -1,4 +1,6 @@ | ||
| name: PR verify | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request_target: |
Copilot is powered by AI and may make mistakes. Always verify output.
|
|
||
| return &clusterv1.APIEndpoint{ | ||
| Host: host, | ||
| Port: int32(port), //#nosec G109 G115 |
Check failure
Code scanning / CodeQL
Incorrect conversion between integer types High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, this problem is fixed by ensuring that integer parsing and target types use compatible bit sizes, or by enforcing explicit bounds checks before converting to a smaller integer type. Instead of using strconv.Atoi (which returns an architecture‑dependent int) and then casting to int32, we should parse directly into a 32‑bit integer using strconv.ParseInt with bitSize=32, and then convert that result to int32. This guarantees that any out‑of‑range value will be rejected with an error from ParseInt rather than silently wrapped during the cast.
For this specific code in controlplane/rosa/controllers/rosacontrolplane_controller.go, the best minimal fix is within the buildAPIEndpoint function around lines 1131–1138:
- Replace
port, err := strconv.Atoi(portStr)(which yieldsint) withport64, err := strconv.ParseInt(portStr, 10, 32)(which yieldsint64whose value is already range‑checked to 32 bits). - Handle the error as currently done.
- Convert the resulting
int64toint32when assigning toAPIEndpoint.Portby writingPort: int32(port64). This cast is now safe becauseParseIntwith bitSize 32 guarantees the parsed value fits within theint32range. - No import changes are needed because
strconvis already imported. - The function’s external behavior remains unchanged: valid port numbers still parse successfully, and invalid ones still cause an error return.
Suggested changeset
1
controlplane/rosa/controllers/rosacontrolplane_controller.go
| @@ -1128,13 +1128,13 @@ | ||
| return nil, err | ||
| } | ||
|
|
||
| port, err := strconv.Atoi(portStr) | ||
| port64, err := strconv.ParseInt(portStr, 10, 32) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return &clusterv1.APIEndpoint{ | ||
| Host: host, | ||
| Port: int32(port), //#nosec G109 G115 | ||
| Port: int32(port64), | ||
| }, nil | ||
| } |
Copilot is powered by AI and may make mistakes. Always verify output.
- Resolved merge conflict in eksconfig_controller_reconciler_test.go - Fixed type error in machine_deployment.go (Version field now requires pointer) - Upgraded cluster-api from v1.10.2 to v1.12.3 for nodeadm support - Updated import paths for cluster-api v1.12.x API reorganization - Fixed predicates usage in nodeadmconfig_controller.go Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist: