ERA-60186, ERA-60187: CVEs fixes, NDB resource cluster scope change#206
Open
shivaprasadmb wants to merge 8 commits intomainfrom
Open
ERA-60186, ERA-60187: CVEs fixes, NDB resource cluster scope change#206shivaprasadmb wants to merge 8 commits intomainfrom
shivaprasadmb wants to merge 8 commits intomainfrom
Conversation
shivaprasadmb
force-pushed
the
bug/vulnerability-fixes
branch
from
98d7006 to
2718665
Compare
shivaprasadmb
changed the title
shivaprasadmb
force-pushed
the
bug/vulnerability-fixes
branch
5 times, most recently
from
7dac734 to
bfc0f9d
Compare
* feat: support name-based inputs for cluster, source database, and snapshot - Add name fields (clusterName, sourceDatabaseName, snapshotName) to API types - Make UUID fields optional when name is provided - Add NDB API functions to resolve names to UUIDs - Update validation to accept either UUID or name - Integrate name resolution in controller before API calls - Maintain backward compatibility with UUID inputs * test: update test configs to support name-based inputs - Add optional name fields (clusterName, sourceDatabaseName, snapshotName) to test configs - Keep clusterId/sourceDatabaseId/snapshotId for backward compatibility - Update test setup to support both UUID and name inputs via env vars - Update cloning helpers to respect names if provided - Update README documentation with name examples * fix: update webhook tests for name-based validation - Update test expectations to match new validation messages - Fix variable shadowing in instance_manager (err assignment) - Tests now expect 'Either X or Y must be provided' messages * chore: update generated files - Update RBAC role with latest controller-gen v0.18.0 - Format code with go fmt * fix: restore original webhook test setup from v0.5.2 * fix: update webhook test expectations for name-based validation * Fix snapshot name resolution to pick latest snapshot When multiple snapshots share the same name, the operator now correctly picks the most recent snapshot instead of the first one encountered. Changes: - Added SnapshotTimeStampDate field to SnapshotResponse struct - Modified ResolveSnapshotNameToId to collect all matching snapshots, compare timestamps, and return the ID of the most recent one Verified: Clone operation now uses cb7d85f2... (Feb 05) instead of aa34c323... (Jan 23) when given snapshotName "era_auto_snapshot" * Update test configurations to use name-based resolution by default - Updated all provisioning and cloning test configs (Mongo, MSSQL, MySQL, PostgreSQL) to use name-based inputs (clusterName, sourceDatabaseName, snapshotName) as the default - UUID-based fields (clusterId, sourceDatabaseId, snapshotId) are now commented out as alternatives - Enhanced test suite utilities to properly handle name-based resolution testing - Updated kustomization.yaml with latest operator image configuration - Minor improvements to name resolution controller adapter All tests have been validated for both provisioning and cloning operations across all four database types. * Add .env template and update .gitignore * Update README comments Co-authored-by: Cursor <cursoragent@cursor.com> * Update README secret comment Co-authored-by: Cursor <cursoragent@cursor.com> * Run go fmt Co-authored-by: Cursor <cursoragent@cursor.com> * Fix snapshot index bug in cloning helpers Co-authored-by: Cursor <cursoragent@cursor.com> * Refactor name resolution code Reorganize NDB API functions by entity and fix env file handling Co-authored-by: Cursor <cursoragent@cursor.com> * empty commit Co-authored-by: Cursor <cursoragent@cursor.com> * empty commit * Replace Synopsys Black Duck workflows with new implementation --------- Co-authored-by: Cursor <cursoragent@cursor.com>
shivaprasadmb
force-pushed
the
bug/vulnerability-fixes
branch
from
bfc0f9d to
3a51486
Compare
Co-authored-by: Cursor <cursoragent@cursor.com>
shivaprasadmb
force-pushed
the
bug/vulnerability-fixes
branch
from
3a51486 to
2564bc8
Compare
shivaprasadmb
requested review from
krunal-jhaveri,
mazin-s and
sasikanthmasini
| name: "DEFAULT_SQLSERVER_DATABASE_PARAMS" | ||
| dbParamInstance: | ||
| name: "DEFAULT_SQLSERVER_INSTANCE_PARAMS" | ||
| profiles: {} |
Contributor
There was a problem hiding this comment.
If automation is run with webhooks enabled, this manifest will be rejected at admission.
Contributor
Author
There was a problem hiding this comment.
I have kept dbparams for MSSQL now, please review
sasikanthmasini
approved these changes
Feb 26, 2026
shivaprasadmb
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Makes NDBServer cluster-scoped and replaces credentialSecret (string) with credentialSecretRef (name + namespace). Admins can store the NDB API credential secret in a restricted namespace (e.g. ndb-credentials); developers reference the cluster-scoped NDBServer by name in ndbRef and no longer need access to that secret’s namespace. Also adds dedicated ndb-credentials namespace in automation, updates README and upgrade notes, and fixes a possible nil dereference in two automation test helpers.
Which issue(s) this PR fixes
Fixes #
Use bitnami/kube-rbac-proxy inplace of quay.io/brancz/kube-rbac-proxy :
Below are the screenshots
Sample security report of bitnami image
How Has This Been Tested?:
make generate manifests and go build ./...make deployto a local cluster; confirmed NDBServer CRD is cluster-scoped and uses credentialSecretRefMYSQL provisioning
MYSQL cloning
PGSI provisioning
PGSI cloning
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
Release note: