Skip to content

PCP-5551: check that trustpolicy configmap exists for early exit #989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
snehala27 merged 1 commit into from
Dec 1, 2025
Merged

PCP-5551: check that trustpolicy configmap exists for early exit #989

snehala27 merged 1 commit into from
Dec 1, 2025

Conversation

@stefanSpectro
Copy link

@stefanSpectro stefanSpectro commented Nov 25, 2025

What type of PR is this?

What this PR does / why we need it:
We need this PR because creating the trust policy config map can fail after OIDCProvider.ARN is set in code. Once OIDCProvider.ARN is set then trust policy config map creation is never retried. We need to ensure we do not early exit only if OIDCProvider.ARN is set but also validate that the config map exists in this case.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #
https://spectrocloud.atlassian.net/browse/PCP-5551

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • includes emoji in title
  • adds unit tests
  • adds or updates e2e tests

Release note:

@spectro-prow
Copy link

spectro-prow commented Nov 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: stefanSpectro
To complete the pull request process, please assign after the PR has been reviewed.
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Nov 25, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2025-4123
    • Module: github.com/dvsekhvalnov/jose2go
    • Found in: v1.6.0
    • Fixed in: v1.7.0
    • Example Traces:
      1. pkg/rosa/client.go:51:70: rosa.NewOCMClient calls ocm.Build, which eventually calls keyring.Get
  2. GO-2025-3553
    • Module: github.com/golang-jwt/jwt/v4
    • Found in: v4.5.1
    • Fixed in: v4.5.2
    • Example Traces:
      1. pkg/rosa/client.go:51:70: rosa.NewOCMClient calls ocm.Build, which eventually calls authentication.Build

Please review these findings and fix the issues before merging.

@stefanSpectro
Copy link
Author

stefanSpectro commented Nov 25, 2025

⚠️ GoVulnCheck scan found vulnerabilities:

1. **GO-2025-4123**
   
   * Module: github.com/dvsekhvalnov/jose2go
   * Found in: v1.6.0
   * Fixed in: v1.7.0
   * Example Traces:
     1. pkg/rosa/client.go:51:70: rosa.NewOCMClient calls ocm.Build, which eventually calls keyring.Get

2. **GO-2025-3553**
   
   * Module: github.com/golang-jwt/jwt/v4
   * Found in: v4.5.1
   * Fixed in: v4.5.2
   * Example Traces:
     1. pkg/rosa/client.go:51:70: rosa.NewOCMClient calls ocm.Build, which eventually calls authentication.Build

Please review these findings and fix the issues before merging.

These were not changes done by me.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Nov 25, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/cloud/services/eks/iam/iam.go:532:13
  2. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/cloud/services/eks/iam/iam.go:22:2

Please review these findings and fix the issues before merging.

@snehala27 snehala27 merged commit 246109f into spectro-master Dec 1, 2025
4 of 8 checks passed
jayesh-srivastava pushed a commit that referenced this pull request Dec 1, 2025
@stefanSpectro @jayesh-srivastava
check that trustpolicy configmap exists for early exit (#989)
72c4cbb
jayesh-srivastava added a commit that referenced this pull request Dec 1, 2025
@jayesh-srivastava @stefanSpectro
check that trustpolicy configmap exists for early exit (#989) (#991)
d367148 
Co-authored-by: stefanSpectro <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes

@snehala27 snehala27 snehala27 approved these changes

Assignees

No one assigned

Labels

auto-backport backport-spectro-release-4.8 size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@stefanSpectro @spectro-prow @snehala27 @jayesh-srivastava