OCPBUGS-7676: Update helm to v3.11.1 for CVE-2023-25165 #474
Conversation
openshift-ci-robot
added
jira/severity-low
|
@tmshort: This pull request references Jira Issue OCPBUGS-7676, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tmshort The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tmshort
force-pushed
the
sync-2023-03-15
branch
from
56dca2d to
b0d876d
Compare
|
/retest |
|
@tmshort the "syncing everything from upstream" part consists of a lot of bug fixes. Are we okay with asking QE to do bulk testing using a single PR? Last I remember we were not doing bulk syncs since it's harder for QE to test, or much harder for us to quickly revert if we inadvertently break Openshift CI. Not sure if the process/messaging/thinking around those have changed recently. |
The helm CVE changes require updates to k8s 1.26, so many other changes need/should be pulled in. @perdasilva has another bulk-sync PR #465 that this is based on, so he and I were thinking the same thing (I think!). |
Sounds like the ordering should then be:
That way we can hand QE individual pieces to test (and diagnose/dissect individual commits if problems arise) |
|
The helm and 1.26 changes are already upstream as a single commit/merge (operator-framework/operator-lifecycle-manager#2933), so step 1 effectively encompasses everything (hence this PR). Also, the CIs likely won't pass until the final step (see #465). If we're OK with that, then I can break this up, into at least 2 steps. I could separate out the helm+1.26 changes into a separate PR after getting the rest of the upstream fixes merged. EDIT: I didn't realize that you suggested step 1 to be individual commits, see my next comment. |
|
/test e2e-gcp-ovn |
Hmm... we are very far behind, and @perdasilva was trying to get us ahead. Given the number of upstream commits, that's a lot of effort (it's really just getting PRs tested and approved, as demonstrated by this PR, all the code has been merged locally). I'm concerned about the calendar time this will take, and getting the CI tests to behave. |
I see the point. We shouldn't however push the pain from us to QE because we're far behind though. Also, if we can guarantee we'll not break anything in openshift with any of the commit, thereby requiring a full revert of all the PR later on, then we can say we can avoid any pain for ourselves now. But can we 100% guarantee something like that won't happen? :) |
Understood. Would you be more comfortable with small groupings of commits (say two or three)? That will reduce the time/effort to a-half or a-third? There are ~50 (depending on how you count) commits to be downstreamed. |
|
I was trying to EDIT: Given that this uses merge commits, it should be fairly easy to identify the broken individual commit, and roll back if necessary, assuming each batch starts at the tip. |
|
After speaking with @kevinrizza, I'll probably do it as individual or small batches (2 or 3) commits at a time. Are you good with that @anik120 ? |
…shift#255) If the bundle is not present, the current bundleLoader will panic when it gets to addChannelsFromAnnotationsFile. If the bundle is nil, addChannelsFromAnnotationsFile should not attempt to do anything so instead it just returns now. Signed-off-by: Brad P. Crochet <brad@redhat.com> Signed-off-by: Brad P. Crochet <brad@redhat.com> Upstream-repository: api Upstream-commit: 5f99430d4ec47d59daafa3b818229f0466531dea
Signed-off-by: Jordan <jordan@nimblewidget.com> Signed-off-by: Jordan <jordan@nimblewidget.com> Upstream-repository: api Upstream-commit: 7339a22050af53df7b6f97a652b8e2d73698765a
updated format defs Upstream-repository: api Upstream-commit: ff2dbc53d3817df9b62a83dbe83cb221e7c043f4
…nshift#262) Signed-off-by: timflannagan <timflannagan@gmail.com> Upstream-repository: api Upstream-commit: 72295edd2bb11d414a1db6d6643fe3f3918c5ae4
…enshift#264) Signed-off-by: timflannagan <timflannagan@gmail.com> Signed-off-by: timflannagan <timflannagan@gmail.com> Upstream-repository: api Upstream-commit: e4d13db375b88f764a953ce34925e4ad4e79e5fa
Signed-off-by: timflannagan <timflannagan@gmail.com> Upstream-repository: api Upstream-commit: 4d4ed5a299506cab8898036a873031e6faa4b0fd
This PR upgrades the version of yq used in the makefile from v3@latest to v4@v4.28.1 Upstream-repository: api Upstream-commit: b527a19c8e14e2249d5a5cdb88063cfb136fdafb
* update k8s 1.25 validation logic to look for deprecated k8s APIs in various CSV fields Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update validation logic Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * remove debug statements Signed-off-by: Bryce Palmer <bpalmer@redhat.com> Signed-off-by: Bryce Palmer <bpalmer@redhat.com> Upstream-repository: api Upstream-commit: b611f6cef49cb8c6d621145c4e31d8ddfd4c59f4
…ng a warning (openshift#274) * fix a bug in k8s 1.25 validation logic to now check the apiGroup/resource to determine if an api is deprecated. Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update warning and error checks to use a map Signed-off-by: Bryce Palmer <bpalmer@redhat.com> Signed-off-by: Bryce Palmer <bpalmer@redhat.com> Upstream-repository: api Upstream-commit: f1b729684854a053f229464eb327527222188fd1
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.7 to 0.3.8. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.3.7...v0.3.8) Upstream-repository: api Upstream-commit: e8bb2e01756424cd3de5ec8521ef370623459cae --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
This commit updates the goreleaser github action to install QMEU to support emulation of multiple architectures. Signed-off-by: Alexander Greene <greene.al1991@gmail.com> Upstream-repository: operator-lifecycle-manager Upstream-commit: dac8182eb62acc1cb489d17ccc34f243f43d4f94
* opm serve: use pre-existing cache, if set and up-to-date Signed-off-by: Joe Lanford <joe.lanford@gmail.com> * refactor to leave NewQuerier function untouched Signed-off-by: Joe Lanford <joe.lanford@gmail.com> Signed-off-by: Joe Lanford <joe.lanford@gmail.com> Upstream-repository: operator-registry Upstream-commit: 494b68e62a814a891821aeb2bd28f33abc1624ff
Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: bd3c80489dbf6942005c345a33733fb782e952fe
Signed-off-by: Austin Macdonald <austin@redhat.com> Signed-off-by: Austin Macdonald <austin@redhat.com> Upstream-repository: operator-registry Upstream-commit: 6d762ada58dfd90f41cc002d8f34c01811312f6f
Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 979865370ec633e0f6b711be50a93dccf6d4fbe5
Signed-off-by: jcho02 <jason.cho2@ibm.com> Signed-off-by: jcho02 <jason.cho2@ibm.com> Upstream-repository: operator-registry Upstream-commit: 0271e7847d0b71cd969a2426f5532a4cb1cddd40
…be empty in error scenario (#1032) Signed-off-by: Adam D. Cornett <adc@redhat.com> Signed-off-by: Adam D. Cornett <adc@redhat.com> Upstream-repository: operator-registry Upstream-commit: d888b725a43440428800c3eea06adaafe1110a56
Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 89594183c5c9ea38c183d2f38c2644dba0f37024
…e (#1043) Signed-off-by: Joe Lanford <joe.lanford@gmail.com> Signed-off-by: Joe Lanford <joe.lanford@gmail.com> Upstream-repository: operator-registry Upstream-commit: 0080ea0a938fdb91662a6ca36387aa71d3a52b28
* update render unmarshal failures Signed-off-by: Jordan Keister <jordan@nimblewidget.com> * revamp for pretty format, error.As approach Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 249ae621bb8fa6fc8a8e4a5ae26355577393f127
* initial implementation pass Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * initial implementation pass Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update implementation Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * add unit tests and any changes necessary in relation to adding unit tests. Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * verify schemas and fail if they don't match Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * add better validations and decrease some code duplication as well as add the necessary additional test cases Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * remove some TODO comments and hardcode containerTool as 'docker' as per review comments Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update the custom veneer builder to work like the other veneer builders by reading a full FBC from STDOUT and writing it to the output destination in the custom veneer config. Also adds additional test cases to cover the new changes. Signed-off-by: Bryce Palmer <bpalmer@redhat.com> Signed-off-by: Bryce Palmer <bpalmer@redhat.com> Upstream-repository: operator-registry Upstream-commit: 104e0276e46d4aae6d4d8b364c03576893229e71
Signed-off-by: Joe Lanford <joe.lanford@gmail.com> Signed-off-by: Joe Lanford <joe.lanford@gmail.com> Upstream-repository: operator-registry Upstream-commit: b7307b57c5f67b296098e66bfe38458e762c99aa
…st on generated files (#1060) Signed-off-by: Jordan <jordan@nimblewidget.com> Signed-off-by: Jordan <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 67e6777b5f5f9d337b94da98b8c550c231a8b47c
…ring (#1063) * exclude bundles with `olm.deprecated` property when rendering Signed-off-by: Rashmi Gottipati <chowdary.grashmi@gmail.com> * Exclude bundles based on the property type and not value Signed-off-by: Rashmi Gottipati <chowdary.grashmi@gmail.com> --------- Signed-off-by: Rashmi Gottipati <chowdary.grashmi@gmail.com> Upstream-repository: operator-registry Upstream-commit: 0aeffa3f44f5e36bd2c0bcc63a94eda000a5f257
* rename template to veneer Signed-off-by: Jordan Keister <jordan@nimblewidget.com> * fixing some utest Signed-off-by: Jordan Keister <jordan@nimblewidget.com> * adding cobra exit-status consistency through command hierarchy, adding temp skips of failing utests until we get the new release Signed-off-by: Jordan Keister <jordan@nimblewidget.com> --------- Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 57a959da1177335976c5efcc592cc423ff90e2cd
Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 1446d7be762d9eb3c88dddb2828a61debdcd6cd6
Signed-off-by: Jordan Keister <jordan@nimblewidget.com> Upstream-repository: operator-registry Upstream-commit: 0a7ff74f9fc6c92be12a48a0f8e67ecfb6a8e60e Signed-off-by: perdasilva <perdasilva@redhat.com>
Update go.mod, go.sum and vendor directory via go mod tidy|vendor Signed-off-by: Todd Short <todd.short@me.com>
Don't update pkg/manifests/csv.yaml Signed-off-by: Todd Short <todd.short@me.com>
Yup sounds good to me, thanks Todd! I'm going to close #473 with a comment in https://issues.redhat.com/browse/OCPBUGS-7910 that a batch PR will pick this up and move the ticket to post. |
tmshort
force-pushed
the
sync-2023-03-15
branch
from
781868a to
bac11fa
Compare
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@tmshort: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
@tmshort: This pull request references Jira Issue OCPBUGS-7676. The bug has been updated to no longer refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Also syncs everything from upstream repos as of 2023-03-15.