Add script for auto-releasing bundle to FBC #766
Conversation
|
|
||
| self._template: dict[str, Any] = {} | ||
| self.template_path = ( | ||
| self.operator.root / "catalog-templates" / self.template_name |
There was a problem hiding this comment.
Should self.operator be safety checked here prior to referencing self.operator.root, since operator can potentially initialize as None?
https://github.com/mporrato/operator-repo/blob/v0.4.11/src/operator_repo/core.py#L37
update: the operator appears to already be checked for None here, this appears sufficient to address this concern (please confirm) --
https://github.com/mporrato/operator-repo/blob/v0.4.11/src/operator_repo/core.py#L146
There was a problem hiding this comment.
(note that after this instantiation, there are also a number of additional spots below where self.operator.[operator-attribute] could similarly cause uncaught exceptions if operator is None)
There was a problem hiding this comment.
You don't have to worry about the attributes. The Operator-repo library is written in a way that doesn't allow you to initiate an object (Repo, Operator,...) that would not be validated first. So if we pass an invalid input to the CLI it won't even execute an initiate these objects.
There was a problem hiding this comment.
Ack, thanks for the confirm/clarification
| self.template_type, | ||
| "-o", | ||
| "yaml", | ||
| self.template_path, |
There was a problem hiding this comment.
Are the constructor params which are originally used to create template_path checked/validated in some way before this? (wondering if command could potentially be vulnerable to command injection)
There was a problem hiding this comment.
The self.operator that is used to generate the template_path is defined in our library and it always make sure the path is valid path pointing to an operator (validation is done using probes - if no valid operator the whole app fails on purpose). There are also a couple of preventative action that disallow any injection.
- the
self.template_pathis a type ofPaththat should point to a valid path on a system - we run a command using a subprocess with a disabled shell
- the command is executed using separate args given by the list variable ["opm", "alpha", "render", ....] which doesn't allow injecting any vulnerable code.
With these reasons and fact that we will call this CLI tool in our pipelines and we can control inputs I think we have enough validation around.
openshift-merge-robot
added
the
needs-rebase
The new script is introduced that automatically release a new bundle to a fbc template and renders it to catalog using opm command. The script creates templates if not exists yet or amend template and add new bundle. The script uses a new catalog mapping in ci.yaml and new release-config.yaml file that contains info about how to release a bundle. JIRA: ISV-5506 Signed-off-by: Ales Raszka <[email protected]>
openshift-merge-robot
removed
the
needs-rebase
The new script is introduced that automatically release a new bundle to a fbc template and renders it to catalog using opm command.
The script creates templates if not exists yet or amend template and add new bundle. The script uses a new catalog mapping in ci.yaml and new release-config.yaml file that contains info about how to release a bundle.
JIRA: ISV-5506
Merge Request Checklists