Conversation
…-sdk-v2 🌱Migrate instancestate to AWS SDK v2
…pportCRD 🐛 Fix missing CRD validation for Amazon Linux 2023 eksLookupType
📖 docs: add missing operator quick start guide
…interface 🌱 Remove unused SessionInterface
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.2.1 to 2.3.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.2.1...v2.3.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.3.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.2.1 to 2.3.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.2.1...v2.3.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.3.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
* Migrate SSM code to AWS SDK V2 - 1.Since ssm interface provided earlier is removed , new is now at pkg/cloud/services/ssm/service.go. 2.Modified client code for ssm client pkg/cloud/scope/clients.go. 3.In the ec2 package updated references of aws-sdk-go/ssm to point to aws-sdk-go-v2/ssm. 4.Types provided by aws-sdk-go-v2/ssm/types pacakage updated in ec2 (launchtemplate_test.go,ami.go,ami_test.go). * Parameter Not found updated as per sdk-v2(smithy.APIError) * Move the MapToSSMTag to central location,add unit test for it * making consistent in error return in tests * Added missing doc.go in mock_ssmiface pkg * initialize the SSMClient properly in the EC2 service ( update to handle in ssm/service as well) * add custom endpoint resolver for ssm * parse smithyError code using existing code pattern * unwrap GetParameter and DeleteParameter for ssmClient * updated ctx to be propagated , but that resulted in some tests being failed ,updated method signatures for tests to pass * ssm client wrapper removed
✨Create multiple control plane loadbalancers concurrently
* Migrate ServiceLimiters to AWS SDK V2 Signed-off-by: Pankaj Walke <punkwalker@gmail.com> * fix lint errors Signed-off-by: Pankaj Walke <punkwalker@gmail.com> * makefile: bump release-binaries's GOMAXPROCS=2 it was hanging otherwise --------- Signed-off-by: Pankaj Walke <punkwalker@gmail.com> Co-authored-by: Damiano Donati <damiano.donati@gmail.com>
Restrict the parallelism of goreleaser to reduce its maximum memory consumption. This should prevent it from being OOMKilled.
Signed-off-by: Pankaj Walke <punkwalker@gmail.com>
🌱 Try to fix test flake in which secret is not yet available
🌱 Reduce memory consumption of cluster-api-provider-aws-build-docker
…ntextMiddleware 🐛 Fix addition logic of getAttemptContextMiddleware
…MachineAMIType ✨ Add all ManagedMachineAMITypes supported by AWS API
🌱Migrate elb to AWS SDK v2
The kube-apiserver expects to terminate connections itself during graceful shutdown. As soon as kube-apiserver has received SIGTERM, its /readyz endpoint begins serving HTTP 500 responses. To allow time for load balancers to mark it unhealthy, it continues accepting new connections and serving requests on existing connections for a period of time (controlled by the --shutdown-delay-duration option). Once the shutdown delay has elapsed, it stops accepting new requests and drains in-flight requests before exiting. By default, NLBs immediately terminate established connections when a target becomes unhealthy. This causes client-facing disruption for clients connected via NLB to a kube-apiserver instance that is shutting down.
🌱 Fix generation of SSM mock
🌱 Bump github.com/golang/glog to v1.2.5
✨ Add support for 'fast' channelGroupType in ROSA provider
🌱 e2e: fix AWSMachineTemplate autoscaler test
…identity-per-test 🌱 e2e: adjust templates to use AWSClusterRoleIdentities per Cluster
…nd e2e test improvements
…s-e2e-refactor 🌱 autoscaling: try to gather the version information from MachineSets and e2e test improvements
🐛 Fix invalid cloud-config when write_files is nil
This updates the owners and aliases with the latest maintainers. It also performs housekeeping on maintainers and reviewers and removes those that haven't contributed for a while. Signed-off-by: Richard Case <richard.case@outlook.com>
…hanges_dec_25 🌱 chore: update owners and aliases
…-go-1.24 🌱 github actions: bump to go 1.24
…ot/cherry-pick-5793-to-release-2.10 [release-2.10] 🐛 fix: bumps golangci-lint to work with go 1.24+
…nd tests This PR updates the default value for HostAffinity from `host` to `default` as that's also the AWS platform default, and potentially a more sensible value to set if the user does not have a preference. It also improves the API's go doc comments to further explain the effects of the settings and adds a bunch more units to pinpoint the exact behaviour described in the updated doc.
…ot/cherry-pick-5801-to-release-2.10 [release-2.10] 🐛 fix: change HostAffinity default 'host'->'default' improved API doc and tests
Relaxes the validation for ROSA NodePool autoscaling to allow users to specify a minimum of 0 replicas, enabling scale-to-zero scenarios. MaxReplicas remains with a minimum of 1. Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
…ot/cherry-pick-5816-to-release-2.10 [release-2.10] 🌱 Allow ROSA NodePool autoscaling MinReplicas to be 0
Signed-off-by: serngawy <serngawy@gmail.com>
…ot/cherry-pick-5786-to-release-2.10 [release-2.10] ✨ ROSA Add logForward config AND ImageTypes
Signed-off-by: serngawy <serngawy@gmail.com>
…ot/cherry-pick-5842-to-release-2.10 [release-2.10] 🐛 Fix flaky test TestROSARoleConfigReconcileExist
the webhook server should use the tlsconfig specified in the manager options, so users setting tls fields in the manager see their preference honoured not only for the metrics server but also for the webhook server.
…ot/cherry-pick-5848-to-release-2.10 [release-2.10] 🐛 fix: use tlsconfig from the manager options for the webhook server
…ot/cherry-pick-5825-to-release-2.10 [release-2.10] 🐛 Fix: Changed dedicated host validation logic to require tenancy=host
…ot/cherry-pick-5876-to-release-2.10 [release-2.10] 🐛 Validate GP3 volume throughput is within the documented range of 125-2000 MiB/s
…q/nodeadm-upstream ✨ Implement nodeadm bootstrapping type
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| name: verify PR contents | ||
| steps: | ||
| - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # tag=v4.2.2 | ||
|
|
||
| - name: Check if PR title is valid | ||
| env: | ||
| PR_TITLE: ${{ github.event.pull_request.title }} | ||
| run: | | ||
| ./hack/verify-pr-title.sh "${PR_TITLE}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, explicitly define a minimal permissions block so the GITHUB_TOKEN is limited to read-only access to repository contents (and any other scopes strictly required). For this specific job, it only checks out the code and runs a shell script using environment variables; no write operations to GitHub are visible. The minimal necessary permission is therefore contents: read, which is sufficient for actions/checkout to work.
The best way to fix this without changing existing functionality is to add a permissions block at the job level, directly under verify: and before runs-on: in .github/workflows/pr-verify.yml. This will scope the restriction to this job only, and clearly documents the required permissions. Concretely, in .github/workflows/pr-verify.yml, around line 8–10, insert:
permissions:
contents: readso that the verify job explicitly states that it only needs read access to repository contents. No additional imports, methods, or definitions are needed, since this is just a YAML configuration change.
| @@ -6,6 +6,8 @@ | ||
|
|
||
| jobs: | ||
| verify: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| name: verify PR contents | ||
| steps: |
|
|
||
| return &clusterv1beta1.APIEndpoint{ | ||
| Host: host, | ||
| Port: int32(port), //#nosec G109 G115 |
Check failure
Code scanning / CodeQL
Incorrect conversion between integer types High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
General fix approach: Avoid converting from an architecture‑dependent int to a smaller integer type without enforcing that the value fits in the target type. For parsed numeric strings, either parse directly into the desired bit size via strconv.ParseInt/ParseUint, or add explicit upper/lower bound checks before casting.
Best fix for this code: In buildAPIEndpoint, replace strconv.Atoi with strconv.ParseInt specifying 32 bits and return int32(parsed) directly. This avoids the problematic int intermediate entirely and guarantees that any value that doesn’t fit in 32 bits causes a parse error, which the function already handles by returning the error. No change in observable behavior occurs for valid port numbers (0–65535), and the code becomes robust and architecture‑independent.
Concretely, in controlplane/rosa/controllers/rosacontrolplane_controller.go around lines 1392–1399:
- Change
port, err := strconv.Atoi(portStr)toport64, err := strconv.ParseInt(portStr, 10, 32). - Adjust the error handling variable name accordingly.
- Change the returned struct field from
Port: int32(port)toPort: int32(port64).
No new imports are needed; strconv is already imported.
| @@ -1389,13 +1389,13 @@ | ||
| return nil, err | ||
| } | ||
|
|
||
| port, err := strconv.Atoi(portStr) | ||
| port64, err := strconv.ParseInt(portStr, 10, 32) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return &clusterv1beta1.APIEndpoint{ | ||
| Host: host, | ||
| Port: int32(port), //#nosec G109 G115 | ||
| Port: int32(port64), | ||
| }, nil | ||
| } |
20 participants
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist: